On 26/10/2013 8:46 a.m., WorkingMan wrote:
What I tried:
1)with clean.rules I can connect to VPN and access internet without any
issue
1b)On SQUID or VPN server curl -x http://localhost:3130 www.nba.com works
2) with proxy.rules VPN client get invalid URL (previously mentioned error).
proxy is not intercept or transparent
http_port 3130
http_access allow all
#used the first method
#http://www.tldp.org/HOWTO/TransparentProxy-6.html
There is part of your problem. The first method does not work. It has
never worked except as a side effect of a security vulnerability bug,
which has now been fixed.
export vpnclients=<VPN client IP; ex: 10.10.0.0/24>
export SQUID=<SQUID IP>
export SQUID_PORT=<SQUID PORT>
iptables -t nat -A PREROUTING -i eth0 ! -s ${SQUID} -p tcp --dport 80 -j
DNAT --to ${SQUID}:${SQUID_PORT}
iptables -t nat -A POSTROUTING -o eth0 -s ${vpnclients} -d ${SQUID} -j SNAT
--to ${SQUID}
iptables -A FORWARD -s ${vpnclients} -d ${SQUID} -i eth0 -o eth0 -p tcp --
dport ${SQUID_PORT} -j ACCEPT
It did mention that HTTP/1.0 will not work properly for some reason. It's
not possible to test the second method since EC2 classic doesn't allow me to
add a second network interface (I will probably have to try VPC later on)
Interfaces are relevant to this setup. Whats the problem?
I tried to understand the issue from the code but it wasn't 100% clear.
client_side.cc(2319) parseHttpRequest: HTTP Client local=<SQUID IP>:3130
remote=<VPN server>:65090 FD 10 flags=1
client_side.cc(2320) parseHttpRequest: HTTP Client REQUEST:
---------
GET / HTTP/1.1
Host: www.nba.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8^M
Cookie: s_fid=32FDC9FA0E2D94CE-297956A1143A207A; s_vi=
[CS]v1|28AFB9BC0501287A-600001094003481F[CE]^M
Connection: keep-alive
Accept-Language: en-us
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_2 like Mac OS X)
AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A501
Safari/9537.53
This looks good to me and works (test and works as a request) but then I see
this error message and then it went to show SQUID's error page. It doesn't
really tell me why it's not working.
That line above the headers is showing the problem:
HTTP Client local=<SQUID IP>:3130 remote=<VPN server>:65090 FD 10
flags=1
local= contains the details of www.nba.com server where the request is
being fetched .... original dst IP:port from the TCP packets.
remote= contains the client src IP:port from the TCP packets.
Your NAT is still being done at the client end of the connection before
it reaches the Squid box. This is THE problem. Move the NAT rules.
1) the client end of the VPN needs to contain the routing and MARK rules
from section 6.2 of that page.
2) the VPN tunnel needs to deliver those packets directly onto the Squid
box. Avoiding any problems ECN may cause with routing the packets.
2a) at this point you should still be able to browse the web without
problems. However your packets should be going over the VPN without any
browser or test tool mention of the Squid box IP.
3) the Squid box needs to contains the REDIRECT rule from section 6.2 on
that page, and probably the MASQUERADE rule from section 6.3. Squid
needs the "intercept" http_port option.
3a) at this point you should still be able to browse the web without
problems using *identical* tests to those made in (2a) when there was no
proxy used. However the traffic should be logged in Squid access.log.
<skipping the rest of your Qs because the necessary info is already
logged in those lines above>
Amos
