On 01/07/11 05:57, Francisco André Barbosa Neto wrote:
Hi all I'm new to the list and I decided to write here because I'm with a
big trouble!
I have installed an squid in bridge mode with tproxy support.
Everything is working ok, but I'm using in the same squid proxy squidguard
as an redirector.
The problem is when the client try to access an url that is blocked squid
can't receive the redirect header and page stay loading for a long time
until squid return an error telling that is impossible to access the site
http://<ip of my bridge interface>/negado.html
If I click on the link the page opens normally!!
Does anybody have any clue about this problem???
Yes. Think about what TPROXY does....
It makes outgoing requests from Squid have the IP of the remote client
which connected inwards.
When you "redirect" to http://192.168.10.61:90/negado.html with a 3xx
HTTP status the client makes a new request. Retrieving the URL directly
(port 90 not caught into Squid).
When you "rewrite" AKA send Squid a URL without HTTP status. Squid
will contact the new URLs server without informing the client.
The server at 192.168.10.61:90 sees a connection coming from the
client (faked by Squid) and sends its TCP SYNACK messages back to the
client. Squid never gets them. The client sees unexpected TCP packets
from a strange source and drops them for security reasons. Everything hangs.
Run SquidGuard on the command line and ensure it is producing 3xx status
on redirected URLs.
Amos
Below is my server information:
CentOS 5.6
Kernel 2.6.31-14 with all the Tproxy support enabled and ok!
Iptables 1.4.10 with iptables supporte
Libcap 2.19 installed
Squid 3.1.8 with Tproxy support ok!
Routes.sh script (called from /etc/rc.d/rc.local
#!/bin/sh
ip route flush table 100
ip rule del fwmark 1 lookup 100
ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -F
iptables -t mangle -X DIVERT
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark
0x1/0x1 --on-port 3129
##!/bin/sh
CLIENT_IFACE="eth0"
INET_IFACE="eth1"
ebtables -t broute -F
ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target ACCEPT
cd /proc/sys/net/bridge/
for i in *
do
echo 0> $i
done
unset i
Changes in /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.netfilter.nf_conntrack_acct = 1
net.ipv4.conf.lo.rp_filter = 0
Squidguard.conf
dbhome /var/lib/squidguard
logdir /var/log/squidguard
src admin {
ip 192.168.10.96
}
dest negados {
domainlist negados
}
acl {
admin {
pass !negados all
redirect http://192.168.10.61:90/negado.html
}
default {
pass none
redirect http://192.168.10.61:90/negado.html
}
}
Apache is listening on port 90, I've already tried in port 80 without
success too
Squid.conf (relevant part only)
http_port 3128
http_port 3129 tproxy
tcp_outgoing_address 192.168.10.61
icp_port 3130
url_rewrite_program /usr/bin/squidguard -c /etc/squid/squidguard.conf
url_rewrite_children 5
acl manager proto cache_object
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.1
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 1025-65535 8083 88 90
acl CONNECT method CONNECT
#acl msn url_regex -i /gateway/gateway.dll
#acl autenticado proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#acl liberados src 192.168.0.71 192.168.0.99
acl our_networks src 192.168.10.0/24
#http_access allow liberados
#http_access deny msn
#http_access allow autenticado
http_access allow our_networks
http_access deny all
http_reply_access allow our_networks
icp_access allow all
miss_access allow all
Thanks!!
------------------------------------------------------
Francisco André Barbosa Neto
fneto@xxxxxxxxxxxxxxx<mailto:fneto@xxxxxxxxxxxxxxxxxxxxxx>
Get Smart IT Solutions
http://www.getsmart.com.br<http://www.getsmart.com.br/>
Fone: 55-11-4655-2232
------------------------------------------------------
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.9 and 3.1.12.3