On 24/04/2015 2:29 p.m., Srinath Krishna wrote: > Hello all, > > I'm trying my hands with openvswitch and squid. This is what I want to > achieve. > > The client tries to connect to the server. This packet is handled through > an openvswitch and it's sent to a machine running squid for proxying. The > machine running squid sees the packet with client to server but iptables > rules help in delivering this packet up the stack. On a cache hit, squid > responds back to the client and also installs iptables rules on the fly and > hence the source IP is that of the server. No. Squid has nothing to do with any of that. The kernel TPROXY module does it all. > > This is achieved through the following configuration in squid.conf. > > http_port 3128 intercept > "intercept" means NAT. Which cannot do what you are asking for. > With this configuration however, on a cache miss case, squid uses it's IP > address as the source IP to connect to the server. What I expect is squid > to use the client's IP address to establish this new connection to the > server. From the squid.conf, I believe I need to use the tproxy mode with Correct. > the http_port directive, but I'm stumped about what iptables rules to > configure. That would be the lines listed in <http://wiki.squid-cache.org/Features/Tproxy4#iptables_Configuration> Also, make sure that any rules in the "iptable -t nat " which you may have setup for the NAT intercept configuration are removed. They *will* break TPROXY kernel module operations. iptables is just one of many networking layers than need configuring though before TPROXY will work. The rest of the page explains. > > I'm trying to follow the steps here ( > http://wiki.squid-cache.org/Features/Tproxy4#Feature:_TPROXY_version_4.1.2B-_Support) > but no luck yet. And I don't understand why I'd need to use WCCP for > something like this. You dont. Please read the _title_ of the WCCP section again. Slowly. > > I expect squid to use the client's IP address and the reverse traffic from > the server will make it's way to squid's box through openvswitch. You expect a lot. Behind the single tproxy flag in squid.conf the entire routing system of your whole network has to be configured to ensure that above "expected" flow is what the packets actually do. If there is any potential path through the network where server packets can reach the client directly without being diverted back through Squid there will be hanging connections. The client will drop them because the TCP connection was not client initiated. > All squid > has to do is install an iptable rule on the fly for the outgoing connection > to use the client's IP address and also have a corresponding reverse rule > to translate from the client's IP address to squid's IP address. That is the purpose of the TPROXY kernel module. It does all the netfilter/firewall bits when instructed to by Squid. > > The kernel that I'm using is 3.16 and it has the nf_conntrack and xt_TPROXY > modules insmoded. Can someone help me with this? > Provided you also have a recent Squid version, built with the appropriate components (netfilter and libcap2). All you should need is the configuration in section 1.3, 1.5, 1.6.1, and possibly 1.7 of that Tproxy4 wiki page. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users