On 12/07/2013 3:09 p.m., Kai Meyer wrote:
Sorry for the long post, but I like to error on the side of verbosity
when I'm grasping at straws.
I've been happily running Dansguardian(2.10.1.1-4.el6.x86_64) +
squid(3.1.10-9.el6_3.x86_64) on CentOS 6 for a while.
Recently, I've been dealing with an HTTP 1.1 error by disabling the
proxy temporarily. I finally decided to fix it for real and it looks
like squid 3.3 will solve my problem. So I hacked the squid 3.3 source
into the CentOS 3.1 source rpm, and produced a package you can find here:
http://kai.gnukai.com/repo/
I was using a "close-to-stock" squid 3.1 configuration that was working:
---snip---
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
follow_x_forwarded_for deny all
http_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname CENSORED
---snip---
I dropped in squid 3.3, and it complained about line one. So I dropped
line 1, and had some more issues. So I decided to start with the stock
3.3 squid configuration, and simply "add" the peices I thought I
needed. I ended up with this:
---snip---
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
follow_x_forwarded_for deny all
visible_hostname CENSORED
always_direct allow all
http_port 3129 transparent
---snip---
You may notice I "added" port 3129 instead of replacing the 3128. I
did that just to avoid the "kid1| ERROR: No forward-proxy ports
configured." error. I've updated my dansguardian config accordingly.
With DG in front of Squid you do not need the "transaprent" option on
squid.conf port. That is only for when NAT is passing the intercepted
traffic directly to the Squid listening port. DG acts as the receiving
proxy in yoru case and passes it as forward-proxy traffic to Squid.
Using that option on forward-proxy traffic will cause Squid to fail teh
destination security checks and enter a forwarding loop.
For reference, here's my iptables config. ppp0 is my internet
connection, br0 is my local network connection, and tun+ interfaces
are any OpenVPN
---snip---
*nat
:PREROUTING ACCEPT [10:812]
:POSTROUTING ACCEPT [3:236]
:OUTPUT ACCEPT [6:469]
:whitelist - [0:0]
-A PREROUTING -j whitelist
-A PREROUTING -s 10.9.8.1/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -s 10.9.8.0/24 -i br0 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.9.8.1:8080
-A POSTROUTING -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [34:8038]
:OUTPUT ACCEPT [5:337]
-A INPUT -i lo -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m
recent --set --name DEFAULT --rsource
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m
recent --rcheck --seconds 600 --hitcount 3 --name DEFAULT --rsource -j
LOG --log-prefix "SSH DROP: " --log-level 6
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m
recent --update --seconds 600 --hitcount 3 --name DEFAULT --rsource -j
DROP
-A INPUT -i ppp0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [109:23590]
:INPUT ACCEPT [50:3853]
:FORWARD ACCEPT [59:19737]
:OUTPUT ACCEPT [29:2882]
:POSTROUTING ACCEPT [88:22619]
COMMIT
---snip---
So, with the DNAT rule enabled, every http page (ie:
http://kai.gnukai.com/ip.php) comes back in my browser with the error
---snip---
Access Denied.
Access control configuration prevents your request from being
allowed at
this time. Please contact your service provider if you feel this is
incorrect.
---snip---
If I http decode the mailto: link to root, I get this:
---snip---
mailto:root?subject=CacheErrorInfo - ERR_ACCESS_DENIED&body=CacheHost:
shuttle.gamer.gnukai.com
ErrPage: ERR_ACCESS_DENIED
Err: [none]
TimeStamp: Fri, 12 Jul 2013 01:08:40 GMT
ClientIP: 10.9.8.1
HTTP Request:
GET /ip.php HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: shuttle
Accept: */*
Via: 1.0 CENSORED (squid/3.3.6)
X-Forwarded-For: 10.9.8.104, 10.9.8.1
Squid IP address being 10.9.8.1 ?
Cache-Control: max-age=259200
Connection: keep-alive
---snip---
10.9.8.104 is my browser. If I use curl to get the headers back, they
look like this:
---snip---
HTTP/1.1 403 Forbidden
Server: squid/3.3.6
Mime-Version: 1.0
Date: Fri, 12 Jul 2013 02:53:39 GMT
Content-Type: text/html
Content-Length: 3447
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from CENSORED
X-Cache-Lookup: MISS from CENSORED:3128
X-Cache: MISS from CENSORED
X-Cache-Lookup: MISS from CENSORED:3128
Via: 1.1 CENSORED (squid/3.3.6), 1.1 CENSORED (squid/3.3.6)
There you have the confirmation. Forwarding loop from your Squid to
itself. The 403 will be generated by Squid detecting that loop and
halting the request before it sucks up all the resources on that box.
Connection: keep-alive
---snip---
I'm confused that it says 3128, when it's clearly talking 3129 on the
lo device:
0.000000 10.9.8.1 -> 10.9.8.1 TCP 35160 > 3129 [SYN] Seq=0
Win=32792 Len=0 MSS=16396 TSV=211693779 TSER=0 WS=7
0.000012 10.9.8.1 -> 10.9.8.1 TCP 3129 > 35160 [SYN, ACK]
Seq=0 Ack=1 Win=32768 Len=0 MSS=16396 TSV=211693779 TSER=211693779 WS=7
0.000021 10.9.8.1 -> 10.9.8.1 TCP 35160 > 3129 [ACK] Seq=1
Ack=1 Win=32896 Len=0 TSV=211693779 TSER=211693779
0.000869 10.9.8.1 -> 10.9.8.1 TCP 35160 > 3129 [PSH, ACK]
Seq=1 Ack=1 Win=32896 Len=44 TSV=211693780 TSER=211693779
....
"CENSORED:3128" is the public (forward-proxy) FQDN and port number for
Squid.
Amos
