Search squid archive

Re: TPROXY Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Farhad Ibragimov wrote:

Hi squid guru

My server was configured with the following instruction
http://wiki.squid-cache.org/Features/Tproxy4
but not working. Please help me to resolve my problem

Squid version 3.1.0.13
iptables 1.4.3
2.6.30.5-second #1 SMP Sun Aug 23 03:36:29 AZST 2009 x86_64 x86_64 x86_64 GNU/Linu

my squid configuration

<snip defaults>

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access allow all
I hope that was only for testing. 'allow all' makes your squid a wide open proxy. TPROXY retains the correct concepts Internally of Squid for which IP ranges are clients and which destinations. 'allow localnet' should have been sufficient to let your clients out to the web with minimal restrictions. 


http_port 3128
http_port 3129 tproxy 
<snip defaults>


ACCESS LOGS
1250983412.365 132598 85.132.47.219 TCP_MISS/000 0 GET http://www.bbc.co.uk/russian/uk/2009/08/090822_uk_cars_scrappagescheme.shtml - DIRECT/www.bbc.co.uk -
1250983461.913 181020 85.132.47.219 TCP_MISS/504 4136 GET http://ru.fxfeeds.mozilla.com/ru/firefox/headlines.xml - DIRECT/63.245.209.93 text/html
1250983545.928  60793 85.132.47.219 TCP_MISS/503 0 CONNECT sb-ssl.google.com:443 - DIRECT/216.239.59.136 -
1250983596.266 110348 85.132.47.219 TCP_MISS/000 0 GET http://www.bbc.co.uk/russian/russia/2009/08/090822_russia_nationalflag_denisov.shtml - DIRECT/www.bbc.co.uk -

<snip>
Hmm, what those access lines show is that Squid is receiving a set of HTTP requests and passing them to some external web servers.
The ones saying MISS/000 to bbc etc are where Squid has sent the whole HTTP request outward to the server. But the TCP link is closed by the far end before anything comes back. The 5xx seems to be Squid timeout out past is maximum allowed wait before anything comes back. 

The two things to look at closely with TPROXY when this happens are:
1) the firewall rules. Both on the Squid box doing TPROXY and on any machines between Squid and the Internet.
2) the routing rules. How are theres requests reaching Squid and what is happening to the passed-on request. Secondly on routing what happens to replies coming back from the web server to the client IP and why do they not arrive at Squid?
Also, are you sure libcap support was built into Squid and is also available on the box its currently running on? Tproxy support will turn itself off inside Squid if libcap fails. 


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux