On 26/10/2016 7:42 p.m., Jens Offenbach wrote: > Hi, > I am trying to setup a transparent proxy with Squid 3.5.12 on Ubuntu Server 16.04.1, but I cannot get it working. When a client tries to connect to the web, the connection always times out. > > Hopefully, someone has an idea what's going. > > uname-r: > 4.4.0-45-generic > > sysct: > net.ipv4.ip_forward=1 > net.ipv4.conf.default.rp_filter=0 > net.ipv4.conf.all.rp_filter=0 > > squid.conf: > # ACCESS CONTROLS > # ----------------------------------------------------------------------------- > acl localnet src 139.2.0.0/16 > acl localnet src 193.96.112.0/21 > acl localnet src 192.109.216.0/24 > acl localnet src 100.1.4.0/22 > acl localnet src 10.0.0.0/8 > acl localnet src 172.16.0.0/12 > acl localnet src 192.168.0.0/16 > acl to_localnet dst 139.2.0.0/16 > acl to_localnet dst 193.96.112.0/21 > acl to_localnet dst 192.109.216.0/24 > acl to_localnet dst 100.1.4.0/22 > acl to_localnet dst 10.0.0.0/8 > acl to_localnet dst 172.16.0.0/12 > acl to_localnet dst 192.168.0.0/16 > Missing basic security controlsto prevent this being an abused open proxy. http_access deny !Safe_Ports http_access deny CONNECT !SSL_Ports > http_access allow manager localhost > http_access deny manager > http_access allow localnet > http_access allow localhost > http_access allow to_localnet Permits external visitors uncontrolled access to your LAN IP spaces. Particularly when combined with the "always_direct allow to_localnet" below. Really want that? > http_access deny all > > # NETWORK OPTIONS > # ----------------------------------------------------------------------------- > http_port 10.30.200.99:3128 > http_port 10.30.216.254:3128 > http_port 10.30.216.254:3129 tproxy > > # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM > # ----------------------------------------------------------------------------- > cache_peer proxy.mycompany.com parent 8080 0 no-query no-digest default > cache_peer roxy.mycompany.com parent 8080 0 no-query no-digest I suspect the peers are sending TCP SYN+ACK responses directly back to the client IP which Squid is spoofing. Add the option "no-tproxy" to these peer lines to avoid that. > > # MEMORY CACHE OPTIONS > # ----------------------------------------------------------------------------- > maximum_object_size_in_memory 8 MB > memory_replacement_policy heap LFUDA > cache_mem 256 MB > > # DISK CACHE OPTIONS > # ----------------------------------------------------------------------------- > maximum_object_size 10 GB > cache_replacement_policy heap GDSF > cache_dir ufs /var/cache/squid 88894 16 256 max-size=10737418240 > > # LOGFILE OPTIONS > # ----------------------------------------------------------------------------- > access_log daemon:/var/log/squid/access.log squid > cache_store_log daemon:/var/log/squid/store.log > store.log is very rarely needed. You might consider removing it for some extra speed out of the proxy. > # OPTIONS FOR TROUBLESHOOTING > # ----------------------------------------------------------------------------- > cache_log /var/log/squid/cache.log > coredump_dir /var/log/squid > > # OPTIONS FOR TUNING THE CACHE > # ----------------------------------------------------------------------------- > cache allow all Unnecessary default value configured. > > # ADMINISTRATIVE PARAMETERS > # ----------------------------------------------------------------------------- > visible_hostname my-proxy.mycompany.com > > # ICP OPTIONS > # ----------------------------------------------------------------------------- > icp_port 0 > Unnecessary default value configured. > # OPTIONS INFLUENCING REQUEST FORWARDING > # ----------------------------------------------------------------------------- > always_direct allow to_localnet > always_direct allow to_localhost > never_direct allow all > Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
