Search squid archive

Re: Re: transparent proxy on remote box issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 26/10/2013 8:46 a.m., WorkingMan wrote:
What I tried:

1)with clean.rules I can connect to VPN and access internet without any
issue
1b)On SQUID or VPN server curl -x http://localhost:3130 www.nba.com works
2) with proxy.rules VPN client get invalid URL (previously mentioned error).
proxy is not intercept or transparent

http_port 3130
http_access allow all

#used the first method
#http://www.tldp.org/HOWTO/TransparentProxy-6.html

There is part of your problem. The first method does not work. It has never worked except as a side effect of a security vulnerability bug, which has now been fixed.


export vpnclients=<VPN client IP; ex: 10.10.0.0/24>
export SQUID=<SQUID IP>
export SQUID_PORT=<SQUID PORT>


iptables -t nat -A PREROUTING -i eth0 ! -s ${SQUID} -p tcp --dport 80 -j
DNAT --to ${SQUID}:${SQUID_PORT}
iptables -t nat -A POSTROUTING -o eth0 -s ${vpnclients} -d ${SQUID} -j SNAT
--to ${SQUID}
iptables -A FORWARD -s ${vpnclients} -d ${SQUID} -i eth0 -o eth0 -p tcp --
dport ${SQUID_PORT} -j ACCEPT

It did mention that HTTP/1.0 will not work properly for some reason. It's
not possible to test the second method since EC2 classic doesn't allow me to
add a second network interface (I will probably have to try VPC later on)

Interfaces are relevant to this setup. Whats the problem?

I tried to understand the issue from the code but it wasn't 100% clear.

client_side.cc(2319) parseHttpRequest: HTTP Client local=<SQUID IP>:3130
remote=<VPN server>:65090 FD 10 flags=1
client_side.cc(2320) parseHttpRequest: HTTP Client REQUEST:
---------
GET / HTTP/1.1
Host: www.nba.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8^M
Cookie: s_fid=32FDC9FA0E2D94CE-297956A1143A207A; s_vi=
[CS]v1|28AFB9BC0501287A-600001094003481F[CE]^M
Connection: keep-alive
Accept-Language: en-us
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_2 like Mac OS X)
AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A501
Safari/9537.53

This looks good to me and works (test and works as a request) but then I see
this error message and then it went to show SQUID's error page. It doesn't
really tell me why it's not working.

That line above the headers is showing the problem:

HTTP Client local=<SQUID IP>:3130 remote=<VPN server>:65090 FD 10 flags=1

local= contains the details of www.nba.com server where the request is being fetched .... original dst IP:port from the TCP packets.
remote= contains the client src IP:port from the TCP packets.

Your NAT is still being done at the client end of the connection before it reaches the Squid box. This is THE problem. Move the NAT rules.

1) the client end of the VPN needs to contain the routing and MARK rules from section 6.2 of that page.

2) the VPN tunnel needs to deliver those packets directly onto the Squid box. Avoiding any problems ECN may cause with routing the packets.

2a) at this point you should still be able to browse the web without problems. However your packets should be going over the VPN without any browser or test tool mention of the Squid box IP.

3) the Squid box needs to contains the REDIRECT rule from section 6.2 on that page, and probably the MASQUERADE rule from section 6.3. Squid needs the "intercept" http_port option.

3a) at this point you should still be able to browse the web without problems using *identical* tests to those made in (2a) when there was no proxy used. However the traffic should be logged in Squid access.log.


<skipping the rest of your Qs because the necessary info is already logged in those lines above>

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux