Search squid archive

Re: Re: Squid transparent proxy with one nic access denied problem.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Second NIC is unnecessary.

Better go the way Amos suggested - do a policy based routing on
OpenWRT (http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute)
and traffic interception on Linux
(http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat or
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect).

Best,
Niki

On Tue, Feb 18, 2014 at 9:22 PM, Spyros Vlachos <spyros86@xxxxxxxxx> wrote:
> I checked out your suggestions but I keep getting the same error...
> I will buy a second nic and make my setup simpler.
> Thank you!
>
> On 18/2/2014 3:05 πμ, Spyros Vlachos wrote:
>
> Thank you very much! I'll try the things you suggested.
>
> Spyros Vlachos
>
>
> On 18 Φεβ 2014, at 2:16 π.μ., Nikolai Gorchilov <niki@xxxxxxxx> wrote:
>
> Hi Spyros,
>
> Seems you're experiencing request loops, that are unrelated to your ACLs
>
> Looking at the logs, we can clearly see pairs of requests for same
> url. Like this:
> 1392590890.301      0 192.168.1.20 TCP_MISS/403 4158 GET
> http://www.tvxs.gr/ - HIER_NONE/- text/html
> 1392590890.302      1 192.168.1.1 TCP_MISS/403 4263 GET
> http://www.tvxs.gr/ - HIER_DIRECT/192.168.1.20 text/html
>
> As the logging happens at the end of transaction, records are ordered
> by finish time, not start. They actually started in reverse order:
> 1. First came the request from 192.168.1.1 for http://www.tvxs.gr/.
> 2. As it was considered a MISS, your Squid decided to go directly to
> the destination server (thus hierarchy code HIER_DIRECT)
> 3. PROBLEM! PROBLEM! Surprisingly, Squid resolves www.tvxs.gr as
> 192.168.1.20 and fires the request towards this IP!
> 4. Boom! This is how the same request arrives again, this time from
> source IP 192.168.1.20 (Squid itself). We have a loop!
> 5. Squid detects the loop (something like "WARNING: Forwarding loop
> detected" in cache.log) and generates internal error response like
> HTTP/403 Forbidden, using ERR_ACCESS_DENIED or alike. Thus hierarchy
> code is HIER_NONE.
> 6. The error returns in the first instance of this request after 1ms,
> and Squid returns it to the original caller (TCP_MISS/403).
>
> I don't have clear idea what is the root cause of the loop, but I'd do:
> 1. make http_port 192.168.1.20:3128 intercept
> 2. study carefully DNS settings of both Ubuntu and OpenWRT:
> - /etc/resolv.conf
> - iptables: DNS interceptions and redirections (UDP & TCP port 53)
> - change with other public DNS services
> - tcpdump as much as possible ;-)
>
> Hope this helps!
>
> Best,
> Niki
>
> On Tue, Feb 18, 2014 at 12:05 AM, Spyros Vlachos <spyros86@xxxxxxxxx> wrote:
> Hello! Sorry but I am new to this list and I don't know if I have sent
> the mail correctly and iff anyone can see this. Is this the case?
> Sorry and thank you!
>
> On Mon, Feb 17, 2014 at 2:24 PM, Spyros Vlachos <spyros86@xxxxxxxxx> wrote:
> Hello! Thank you in advance for your help.
> I have a fairly simple home network setup.
> I have a modem (192.168.2.254) that connects to the internet.
> Connected to that modem through its own wan port
> I have an openwrt router (192.168.1.1). My internal network is the
> 192.168.1.0/24 one. On the router I have connected
> an ubuntu 13.10 box (192.168.1.20) that acts as a squid proxy and dns
> among other things. The ubuntu box has one network card.
> I had successfully  installed a transparent squid proxy by using DNAT
> and SNAT on the router using the 12.04 version of ubuntu.
> Because of some problems with my ups I tried to install ubuntu 13.10
> which solved the ups problem but also
> upgraded the squid package to 3.3.8 from 3.1.something . My squid
> configuration is as follows:
>
> #--Squid server
> 192.168.1.20---------------------------------------------------
> acl localnet src 192.168.1.0/24
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl squid-prime dstdomain "/etc/squid3/squid-prime.acl"
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny squid-prime
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 3128  #HAVE tried transparent and intercept but the problem
> persists
> coredump_dir /var/spool/squid3
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
> refresh_pattern .               0       20%     4320
> dns_nameservers 8.8.8.8 #have tried to use the local dns 127.0.0.1 but
> the same problem
> #-------------------------------------------------------
>
> I have tried disabling the dns server of ubuntu because I have heard
> of some problem it can cause to squid.
>
> My router (192.168.1.1) SNAT DNAT configuration is (openwrt luci gui)
> 1) MATCH: From IP not 192.168.1.20 in lan Via any router IP at port 80
> FORWARD TO: IP 192.168.1.20, port 3128 in lan
> 2)MATCH: From any host in lan To IP 192.168.1.20, port 3128 in lan
>    Rewrite to source IP 192.168.1.1
>
> The error I get by using the above configurations is a constant Access
> denied Error in the browser and in the
> squid access log is
> #---------------------------------------------------------------------
> 92      0 192.168.1.20 TCP_MISS/403 4088 GET
> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
> 1392590851.593      1 192.168.1.1 TCP_MISS/403 4193 GET
> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
> text/html
> 1392590856.653      0 192.168.1.20 TCP_MISS/403 4088 GET
> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
> 1392590856.653      1 192.168.1.1 TCP_MISS/403 4193 GET
> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
> text/html
> 1392590861.742      0 192.168.1.20 TCP_MISS/403 4088 GET
> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
> 1392590861.742      1 192.168.1.1 TCP_MISS/403 4193 GET
> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
> text/html
> 1392590866.878      0 192.168.1.20 TCP_MISS/403 4088 GET
> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
> 1392590866.878     26 192.168.1.1 TCP_MISS/403 4193 GET
> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
> text/html
> 1392590871.903      0 192.168.1.20 TCP_MISS/403 4088 GET
> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
> 1392590871.903      1 192.168.1.1 TCP_MISS/403 4193 GET
> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
> text/html
> 1392590876.893      0 192.168.1.20 TCP_MISS/403 3985 GET
> http://notify7.dropbox.com/subscribe? - HIER_NONE/- text/html
> 1392590876.893      1 192.168.1.1 TCP_MISS/403 4090 GET
> http://notify7.dropbox.com/subscribe? - HIER_DIRECT/192.168.1.20
> text/html
> 1392590876.992      0 192.168.1.20 TCP_MISS/403 4088 GET
> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
> 1392590876.993      1 192.168.1.1 TCP_MISS/403 4193 GET
> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
> text/html
> 1392590878.600      0 192.168.1.20 TCP_MISS/403 4390 POST
> http://safebrowsing.clients.google.com/safebrowsing/downloads? -
> HIER_NONE/- text/html
> 1392590878.601     26 192.168.1.1 TCP_MISS/403 4495 POST
> http://safebrowsing.clients.google.com/safebrowsing/downloads? -
> HIER_DIRECT/192.168.1.20 text/html
> 1392590882.093      0 192.168.1.20 TCP_MISS/403 4088 GET
> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
> 1392590882.093      1 192.168.1.1 TCP_MISS/403 4193 GET
> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
> text/html
> 1392590887.153      0 192.168.1.20 TCP_MISS/403 4088 GET
> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
> 1392590887.153      1 192.168.1.1 TCP_MISS/403 4193 GET
> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
> text/html
> 1392590889.524      0 192.168.1.20 TCP_MISS/403 4158 GET
> http://www.tvxs.gr/ - HIER_NONE/- text/html
> 1392590889.525     79 192.168.1.1 TCP_MISS/403 4263 GET
> http://www.tvxs.gr/ - HIER_DIRECT/192.168.1.20 text/html
> 1392590890.301      0 192.168.1.20 TCP_MISS/403 4158 GET
> http://www.tvxs.gr/ - HIER_NONE/- text/html
> 1392590890.302      1 192.168.1.1 TCP_MISS/403 4263 GET
> http://www.tvxs.gr/ - HIER_DIRECT/192.168.1.20 text/html
> #----------------------------------------------------------------------------------------------------
>
>
>
> Thank you in advance!
>
>
>
> --
> Spyros Vlachos.
>
>
> --
> Spyros Vlachos.
>
>
> --
> Spyros Vlachos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux