Search squid archive

TPROXY Configuration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have configured the tproxy as follows, but it appears packets are
not hitting squid.  Please note, the wccp configuration on the router
is already working with squid http_port transparent configuration and,
obviously, different iptables configuration.  Any help is appreciated.

Thanks in advance.

squid.conf
---------------

http_port 3228 tproxy
https_port 3229 tproxy ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/domain.crt
key=/etc/ssl/private/domain.key

# FortiGate interface of wccp
wccp2_router 192.168.5.1

wccp2_service dynamic 90
wccp2_service_info 90 protocol=tcp flags=src_ip_hash priority=240 ports=80,443

wccp2_service dynamic 95
wccp2_service_info 95 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80,443

# tunneling method GRE for forward traffic
wccp2_forwarding_method 1

# tunneling method GRE for return traffic
wccp2_return_method 1

# Assignemment method (default), only relevant if multiple caches used
wccp2_assignment_method 1

# wccp weight (default) ,only relevant if multiple caches used
wccp2_weight 10000

# which interface to use for WCCP (0.0.0.0 determines the interface
from routing)
wccp2_address 0.0.0.0

rc.local
-----------

modprobe ip_gre
modprobe ip_tables
modprobe x_tables
ip tunnel add wccp0 mode gre remote 192.168.5.1 local 192.168.5.21 dev eth0
ip addr add 192.168.5.21/32 dev wccp0
ip link set wccp0 up

# Route to send the content back to the GRE tunnel
route add -net {wan interface ip} netmask 255.255.255.255 dev wccp0

# Disabling reverse path filtering and enable routing in the kernel
echo 0 > /proc/sys/net/ipv4/conf/wccp0/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setup the redirection of traffic from the GRE tunnel to squid port 3128

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables  -t mangle -A PREROUTING -i wccp0 -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3228
iptables  -t mangle -A PREROUTING -i wccp0 -p tcp --dport 443 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 3229

exit 0
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux