Search squid archive

not working tproxy in squid 3.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



  Hi, all.

After squid 3.1 ate all of my memory, i installed squid 3.2 (which also ate
all of my memory, but this is an another story). It seems, in squid 3.2 tproxy
is not work right. squid reply to my request, but count of packets too small
for normal workflow. If i connect directly to squid (to normal mode 3128 port),
all work fine.

How can i debug this problem?

My config (3.2.8):

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 3128
http_port 3129 tproxy
access_log none
coredump_dir /usr/local/var/cache/squid
url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 30 startup=5 idle=10 concurrency=0
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
cache_effective_user proxy

iptables-save:

# Generated by iptables-save v1.4.14 on Wed Mar  6 15:41:59 2013
*raw
:PREROUTING ACCEPT [7824875024:8401335411812]
:OUTPUT ACCEPT [3675157306:6129226492352]
COMMIT
# Completed on Wed Mar  6 15:41:59 2013
# Generated by iptables-save v1.4.14 on Wed Mar  6 15:41:59 2013
*mangle
:PREROUTING ACCEPT [6770135987:6702261415787]
:INPUT ACCEPT [4838725878:6108754481433]
:FORWARD ACCEPT [2985099037:2292524666165]
:OUTPUT ACCEPT [3675156676:6129226454540]
:POSTROUTING ACCEPT [6660255713:8421751120705]
:tproxied - [0:0]
-A PREROUTING -p tcp -m socket --transparent -j tproxied
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip 0.0.0.0 --tproxy-mark 0x1/0xffffffff
-A tproxied -j MARK --set-xmark 0x1/0xffffffff
-A tproxied -j ACCEPT
COMMIT
# Completed on Wed Mar  6 15:41:59 2013
# Generated by iptables-save v1.4.14 on Wed Mar  6 15:41:59 2013
*nat
:PREROUTING ACCEPT [166764142:12594892291]
:INPUT ACCEPT [88382392:5321491245]
:OUTPUT ACCEPT [54669707:3295422034]
:POSTROUTING ACCEPT [132896164:10559090386]
COMMIT
# Completed on Wed Mar  6 15:41:59 2013
# Generated by iptables-save v1.4.14 on Wed Mar  6 15:41:59 2013
*filter
:INPUT ACCEPT [14588788:12990241586]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12967278:12836984550]
:block_ip - [0:0]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -s 10.232.0.0/16 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -s 10.232.0.0/16 -p tcp -m tcp --dport 3129 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3129 -j DROP
-A FORWARD -o eth0 -j block_ip
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Wed Mar  6 15:41:59 2013

ip rule:
0:      from all lookup local 
30000:  from all fwmark 0x1 lookup tproxy 
32766:  from all lookup main 
32767:  from all lookup default 

ip rou show table tproxy:
local default dev lo  scope host

This configuration works fine with squid 3.1.


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux