Hi All,
I have been configuring a new Squid server today. The original configuration (without TProxy) worked fine.. DNAT from port 80 to 3128 at squid server..
The source server is where end-users establish a connection, The Squid server is (10.10.10.1) and The Client in question is (10.10.10.100)
SOURCE SERVER:
iptables -t nat -N cache >/dev/null 2>&1
iptables -t nat -F cache
iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:3128
iptables -t nat -N cache_users >/dev/null 2>&1
iptables -t nat -F cache_users
iptables -t nat -A PREROUTING -j cache_users
iptables -t nat -A cache_users -s 10.10.10.100 -j cache
iptables -t nat -L cache -nvx
Now I wanted to use TProxy (so that the client address is shown rather than the squid server ip) - I made the following changes:
SQUID SERVER
Debian Squeeze 2.6.32-5-xen-amd64 + squid-2.7.STABLE9 + squid-2.7s9-tproxy-4.patch
./configure --prefix=/usr --localstatedir=/var --libexecdir=${prefix}/lib/squid --srcdir=. --datadir=${prefix}/share/squid --sysconfdir=/etc/squid --enable-linux-netfilter --enable-linux-tproxy
http_port 3128
http_port 3129 tproxy
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev eth0 table 100
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 0x01/0x01
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
AND TO THE SOURCE SERVER:
FROM: iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:3128
TO: iptables -t nat -I cache -p tcp -m tcp --dport 80 -j DNAT --to 10.10.10.1:80
Now the redirection is working... But all the requests are producing an error, invalid get request...
==> /var/log/squid/cache.log <==
2012/01/19 15:35:46| clientTryParseRequest: FD 12 (10.10.10.100:58640) Invalid Request
==> /var/log/squid/access.log <==
1326987346.801 0 10.10.10.100 TCP_DENIED/400 2079 GET NONE:// - NONE/- text/html
==> /var/log/squid/store.log <==
1326987346.801 RELEASE -1 FFFFFFFF 45B97B27006C6BC283B7EC45B6A1A89C 400 1326987346 -1 -1 text/html 1820/1820 GET error:invalid-request
Error displayed in browser:
ERROR
The requested URL could not be retrieved
While trying to process the request:
GET / HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; U; Edition United States Local; en) Presto/2.10.229 Version/11.60
Host: google.co.uk
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate
Cookie: NID=55=nLRCbUnrM3C7dIaU0ZMwmU4sN89GspazHRw8hQfw8aPn-DoDA4HgTfiLubioA26TMXvjxdNRQqjNwtMsgy0PykVn1F0AqVEl5VQTuB-UNrT1Od9FNHefLUFn62bKTxDd; PREF=ID=2bc21a6253c0a51e:U=121832e3827d293d:FF=0:TM=1326808544:LM=1326808546:S=BIrQ44EQPGOaCNys
Connection: Keep-Alive
The following error was encountered:
Invalid Request
Some aspect of the HTTP Request is invalid. Possible problems:
Missing or unknown request method
Missing URL
Missing HTTP Identifier (HTTP/1.0)
Request is too large
Content-Length missing for POST or PUT requests
Illegal character in hostname; underscores are not allowed
Your cache administrator is webmaster.
Generated Thu, 19 Jan 2012 15:33:48 GMT by cache (squid/2.7.STABLE9)
Any input would be greatly appreciated.
Kind Regards,
Sam
