As i Understand intercept - that will only work (as you said) when NAT
is performed on the box that is to intercept (when I remove haproxy -
that means the squid box itself).
and I'm going to move the squid box to the same network as the
webservers - to be able to do it the routing way.
It seems this config should then be applicable "When Squid is in a DMZ
between the router and Internet" from
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
But do I need to enable net.ipv4.ip_forward = 1 ?
But perhaps that is needed, for iptables/linux kernel to even evaluate
PREROUTING rules (which then dnat's the package into squid port 3129)?
I'd like to only allow packages out of the box, when coming from squid
(in case of some config issue - I'd like the squid-server NOT to route
stuff, which didn't go through squid program).
and then I figured I'd could ensure that from happening, by adding:
iptables -t nat -A OUTPUT --match owner --uid-owner squid -p tcp --dport
80 -j ACCEPT
iptables -t nat -A OUTPUT --match owner --uid-owner squid -p tcp --dport
80 -j ACCEPT
and then ofcourse allow "state RELATED,ESTABLISHED" and traffic I
actually "want" and have default policy DROP.
Klavs Klavsen wrote on 03/12/2015 09:13 AM:
Hi Amos,
Thank you for the walkthrough..
Instead of having to play with tproxy on haproxy currently, I figured
i'd try a simpler route..
The purpose of this setup, is to "jump around" a firewall issue with a
sh#! firewall, which in order to filter http and https traffic
appearently drops 5-15%.. and in 6 months noone has seem willing/able to
fix it :(
I've put squid directly on the 10.43.18.181 (previously haproxy) ip -
and changed to: http_port 80 intercept
I tried this on the client (being on other subnet):
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination
10.43.18.181:80
and the traffic looped in exactly the same way :(
Amos Jeffries wrote on 03/10/2015 05:45 PM:
On 11/03/2015 4:08 a.m., Klavs Klavsen wrote:
hmm..
I've read the config examples..
I would very much like to understand how/why it works, if I've setup a
client to route package to squid (instead of trying to send directly)..
I suggest diagramming your network traffic flow, writing down the TCP
packet src/dst IP:port values on each connection.
"Normal" interception operation showing your loop:
1) curl thinks its talking to Internet server
src ip-of-curl:*
dst ip-of-bt.dk:80
2) NAT diverts the packet to haproxy
src ip-of-curl:*
dst ip-of-haproxy-machine:*
3) haproxy knows its talking to Squid
src ip-of-haproxy-machine:*
dst 10.43.18.165:3129
4) Squid machine reports un-mangled NAT is ...
src ip-of-haproxy-machine:*
dst 10.43.18.165:3129
5) Squid contacts dst-IP to fetch the HTTP request
src 10.43.18.165:*
dst 10.43.18.165:3129
6) repeat from 4 (but with src now 10.43.18.165:*) until
a) machine runs out of memory,
b) machine runs out of TCP sockets,
c) machine runs out of disk space logging errors, or
d) Squid notices Via header loop and rejects request.
A "Normal" connection directly to squid port:
1) curl thinks its talking to Internet server on 10.43.18.165:3129
src ip-of-curl:*
dst 10.43.18.165:3129
2) Squid machine reports un-mangled NAT is ...
src ip-of-curl:*
dst 10.43.18.165:3129
3) Squid contacts dst-IP to fetch the HTTP request
src 10.43.18.165:*
dst 10.43.18.165:3129
4) repeat from 2 (but with src now 10.43.18.165:*) until
a) machine runs out of memory,
b) machine runs out of TCP sockets,
c) machine runs out of disk space logging errors, or
d) Squid notices Via header loop and rejects request.
Confirm it against wireshark packet traces of what is coming *in* to the
Squid machine.
Squid undoes the NAT mangling done on the machine its running. Any NAT
changes prior to that is unknowable. NAT un-mangling can sometimes
appear to work in Squid if haproxy runs on the same machine BUT, some
NAT lookup requires correct TCP socket and some require particular
IP:port ordering so its unrelible.
The Squid access.log lines with ORIGINAL_DST show what client src-IP and
dst-IP Squid received after NAT un-mangling. Though you have to take
care to subtract the duration value from the line timestamp to get the
order right for loops.
I'm trying to follow this on a test client (haven't gotten it working
yet):
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
(where squid is amongst the internal clients - actually on it's own vlan
- but it's not the default route)
If its on its own VLAN then its not "among the clients".
"among the clients" means a bunch of machines all on the same LAN
subnet, one of which is the Squid proxy. They can talk directly to each
other without involving the router so you can hit the triangular routing
problem and have to account for it in your forwarding and/or NAT rules.
If you have Squid on a separate subnet or VLAN with all packets going
via the router, that is a DMZ subnet. The router sees all packets and
can adjusts them right, so triangular routing problem is avoided.
meanwhile I tried pointing to the haproxy - which then forwards requests
in tcp mode, to squid server port 3129.
If I just send to haproxy directly, I get the loop and this in the
accesslog:
1425998994.271 0 10.43.18.165 TCP_MISS_ABORTED/000 0 GET
http://www.bt.dk/ - ORIGINAL_DST/10.43.18.165 -
when doing:
curl -H "Host: www.bt.dk" http://proxy-haproxy-ip/
10.43.18.165 is the ip of squid server behind haproxy.
Methinks that haproxy is still sending to the Squid port configured with
"intercept" option.
A connection between two proxies is explicitly configured. Thus a normal
forward-proxy connection, no special port flags required.
The log line is also showing haproxy to be vulnerable to CVE-2009-0801.
If your Squid and haproxy are recent enough they could use the PROXY
protocol to exchange the original client connections TCP/IP details.
I've not tested it for this myself but that may also allow Squid with an
intercept port to both handle the traffic okay (PROXY protocol override
the NAT lookups), and protect against the CVE-2009-0801 vulnerability in
haproxy ('intercept' flags existence makes Squid do the security checks).
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
--
Regards,
Klavs Klavsen, GSEC - kl@xxxxxxx - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
