I've tried searching and didn't see anyone else experiencing this, so I apologize if someone has. I spent yesterday upgrading my Squid install to support TPROXY so I can also intercept my IPv6 traffic that leaves my home via a HE.net tunnelbroker connection. I worked off both http://www.squid-cache.org/mail-archive/squid-users/201206/0281.html and http://wiki.squid-cache.org/Features/IPv6 to where everything seems to work fine except for certain websites: namely Google. My network setup is as follows: ISP <-> RTR1 <-> (eth1) Squid (eth0) <-> RTR2 <-> Clients I kept everything on a flat subnet for simplicity, as RTR2 is more of a switch that accepts WiFi connections. The Squid box is a Debian machine that sits physically in-line as a bridge. I can watch my access log and see traffic going through the proxy on both IPv4 and IPv6, and websites loading fine. The only site which does not behave seems to be Google. The temporary workaround was to access Google on HTTPS only, since I do not intercept any SSL connections, but then most of the results Google returns are all to non-HTTPS redirect pages at Google.com first instead of directly to the actual website -- so I get timeouts there, instead. Software versions: kernel 3.1.0-1-amd64, iptables/ip6tables 1.4.14, ebtables 2.0.9-2, squid 3.1.2 ebtables config: ebtables -t broute -Lx Bridge table: broute Bridge chain: BROUTING, entries: 4, policy: ACCEPT -p IPv6 -i eth0 --ip6-proto tcp --ip6-dport 80 -j redirect --redirect-target DROP -p IPv4 -i eth0 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP -p IPv6 -i eth1 --ip6-proto tcp --ip6-sport 80 -j redirect --redirect-target DROP -p IPv4 -i eth1 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP iptables config: iptables -t mangle -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DIVERT tcp -- anywhere anywhere socket TPROXY tcp -- anywhere anywhere tcp dpt:www TPROXY redirect 0.0.0.0:3128 mark 0x1/0x1 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain DIVERT (1 references) target prot opt source destination MARK all -- anywhere anywhere MARK set 0x1 ACCEPT all -- anywhere anywhere ip6tables config: ip6tables -t mangle -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DIVERT tcp anywhere anywhere socket TPROXY tcp anywhere anywhere tcp dpt:www TPROXY redirect :::3128 mark 0x1/0x1 Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain DIVERT (1 references) target prot opt source destination MARK all anywhere anywhere MARK set 0x1 ACCEPT all anywhere anywhere squid.conf: acl purge method PURGE # rsync acl connect method CONNECT # SWAT acl safe_ports port "/etc/squid3/safe_ports.acl" acl manager proto cache_object acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] acl localnet src "/etc/squid3/localnet.acl" acl children src "/etc/squid3/children.acl" acl guests src "/etc/squid3/guests.acl" acl parents src "/etc/squid3/parents.acl" acl block-dom dstdom_regex -i "/etc/squid3/block.dom" acl block-kid-dom dstdom_regex -i "/etc/squid3/block-kid.dom" acl nocache-dom dstdom_regex -i "/etc/squid3/nocache.dom" acl whitelst-dom dstdom_regex -i "/etc/squid3/whitelst.dom" acl block-url url_regex -i "/etc/squid3/block.url" acl block-kid-url url_regex -i "/etc/squid3/block-kid.url" http_access allow manager localnet http_access deny manager http_access allow purge localnet http_access deny purge http_access deny !safe_ports http_access deny connect !safe_ports http_access deny parents block-dom http_access deny parents block-url http_access deny children block-dom http_access deny children block-url http_access deny guests block-dom http_access deny guests block-url http_access deny children block-kid-dom http_access deny children block-kid-url http_access allow parents whitelst-dom http_access allow children whitelst-dom http_access allow guests whitelst-dom http_access allow localnet http_access deny all cache deny nocache-dom http_port 3128 tproxy cache_mem 1024 MB maximum_object_size_in_memory 4 MB memory_replacement_policy lru cache_replacement_policy lru cache_dir aufs /storage/squid3 5120 16 256 store_dir_select_algorithm least-load max_open_disk_fds 0 minimum_object_size 0 KB maximum_object_size 204800 KB cache_swap_low 90 cache_swap_high 95 access_log /var/log/squid3/access.log squid acl nolog-port port 443 acl nolog-mgr proto cache_object acl nolog-dom dstdom_regex -i "/etc/squid3/nolog.dom" acl nolog-url url_regex -i "/etc/squid3/nolog.url" log_access deny nolog-port log_access deny nolog-mgr log_access deny nolog-dom log_access deny nolog-url cache_store_log /var/log/squid3/store.log log_fqdn on strip_query_terms off cache_log /var/log/squid3/cache.log coredump_dir /storage/squid3 refresh_pattern . 0 20% 4320 quick_abort_pct -1 read_ahead_gap 256 KB range_offset_limit 0 KB via off icp_port 0 htcp_port 0 dns_nameservers 127.0.0.1 ::1 hosts_file /etc/hosts forwarded_for off client_db on coredump_dir /storage/squid3 high_response_time_warning 1000 Is there something I'm missing here? I don't understand why I'm having issues with only one website. I'd be happy to provide Wireshark info or anything else needed. Thanks for any assistance, Matt Goff
