Search squid archive

RE: Squid + WCCP + TProxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 1 Nov 2009 17:02:52 -0500, "Roth, Joe" <jroth@xxxxxxxxxxxxxx>
wrote:
> Ahhhh... I will upgrade on Mon.
>  
> But will that also make a difference in the box itself seeing the
> connections coming in on 3129? i.e. when I do a "netstat -an | grep
3129",
> I see the box listening on 3129 but I do not see any connections on the
> port.

It makes a difference. The old TPROXYv2 used a kernel lookup similar to
the way NAT does to figure out what the  client and destination IPs were
and use them.  The new TPROXYv4 kernels send the IPs directly on the
accept()'d connection without being asked. The IPs arrive in reverse order
to usual ( local 'me' == real client IP, and remote 'client' == real client
destination IP) and can cause unsuspecting software to go badly.

The new Squid have to configure a special kernel option to indicate they
can handle this type of warped IP operations safely before the kernel will
permit connections to arrive.

Amos

>  
> Thanks for the response!
>  
> --Joe
> 
> ________________________________
> 
> From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx]
> Sent: Sun 11/1/2009 4:37 PM
> To: Roth, Joe
> Cc: squid-users@xxxxxxxxxxxxxxx
> Subject: Re:  Squid + WCCP + TProxy
> 
> 
> 
> On Sun, 1 Nov 2009 08:09:52 -0500, "Roth, Joe" <jroth@xxxxxxxxxxxxxx>
> wrote:
>> I followed the guide here to set up squid to do transparent cacheing
> using
>> wccpv2, and it works quite well. So I took the next step to use tproxy.
>>
>> I followed this page to introduce tproxy into the mix:
>>
>> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy
>>
>> The kernel is compiled with tproxy, as is iptables and squid
2.7Stable7.
>>
>> I have set up iptables, the ip rule and ip route according to the
guide.
>>
>> I'm running Ubuntu with kernel 2.6.28, iptables 1.4.3, squid
> 2.7.Stable7.
>>
>> For some reason the traffic never makes it to port 3129. Do I need to
>> leave the iptables nat config for 3128 even though I am using tproxy?
Am
> I
>> missing something here?
> 
> The native TPROXY that comes in kernel 2.6.28 is TPROXYv4.
> Support for that version of TPROXY is only in Squid-3.1 and later.
> 
> Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux