On Thu, Jan 19, 2017 at 2:59 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 19/01/2017 8:00 p.m., Varun Singh wrote: >> Hi, >> I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu >> 16.04 server and I am trying to connect both. By connect I mean, I am >> trying to achieve following: >> >> [VPN Client] <------> [VPN Server] <-> [Squid] <------> [Internet] >> >> My objective is to connect a VPN client to VPN server and use Squid >> for filtering out blocked Urls. strongSwan and Squid work fine on >> their own. I can access internet when connected to VPN server and also >> when configured HTTP Proxy without VPN. >> > > Is the VPN acting as an interface on the client machine through which > trafffic is gatewayed? > or as a transparent tunnel to the proxy? > > >> From what I understand, to achieve what I want, I am supposed to >> redirect incoming HTTP traffic from port 80 to port using IPTables. I >> enter following IPTables rule: >> >> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT >> --to-port 3128 >> > > What are the squid.conf ports configured as? > >> Once I do this and try to access internet from a connected VPN client, >> I get error. Pasting a log of /var/log/squid/access.log >> >> > > These are explicit-proxy requests (port 3128 syntax): > >> 1484738365.632 0 114.143.194.190 TCP_DENIED/403 4066 CONNECT >> api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html >> 1484738365.642 0 114.143.194.190 TCP_DENIED/403 4870 GET >> http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css >> - HIER_NONE/- text/html >> 1484738365.643 0 114.143.194.190 TCP_DENIED/403 4852 GET >> http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css >> - HIER_NONE/- text/html >> 1484738365.731 0 114.143.194.190 TCP_DENIED/403 4753 GET >> http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html >> 1484738365.760 0 114.143.194.190 TCP_DENIED/403 4817 GET >> http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js >> - HIER_NONE/- text/html >> 1484738367.798 0 114.143.194.190 TCP_DENIED/403 4066 CONNECT >> init.itunes.apple.com:443 - HIER_NONE/- text/html >> 1484738367.922 0 114.143.194.190 TCP_DENIED/403 4334 GET >> http://www.apple.com/apple-touch-icon-76x76-precomposed.png - >> HIER_NONE/- text/html >> 1484738367.963 0 114.143.194.190 TCP_DENIED/403 4025 CONNECT >> gsp10-ssl.apple.com:443 - HIER_NONE/- text/html >> 1484738368.036 0 114.143.194.190 TCP_DENIED/403 4298 GET >> http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/- >> text/html > <snip> > > > What you are expected by to do on Debian and Ubuntu installs is setup > the "localnet" ACL to be apropriate for your LAN. It is commented out by > default. > Search squid.conf for "#http_access allow localnet" and "#acl localnet" > > When that is done the above should work. No NAT needed. > > > These are origin requests (port 80 syntax): > >> 1484738858.272 0 10.99.1.1 TAG_NONE/400 4154 GET >> /assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml >> - HIER_NONE/- text/html >> 1484738858.990 0 10.99.1.1 TAG_NONE/400 4004 GET >> /us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html >> 1484738860.362 0 10.99.1.1 TAG_NONE/400 5350 GET >> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1&ndh=1&t=18%2F0%2F2017%2016%3A57%3A40%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=4&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1 >> - HIER_NONE/- text/html >> 1484739056.258 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html >> 1484739056.480 0 10.99.1.1 TCP_DENIED/403 4290 GET >> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png - >> HIER_NONE/- text/html >> 1484739057.106 0 10.99.1.1 TAG_NONE/400 3994 GET >> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html > <snip> > > Notice how both those sets of requests are reaching your proxy properly. > The VPN is still working just fine. > >> >> >> My /etc/squid/squid.conf file has only one change and that is: >> http_access allow all >> > > Where? order and position is important. > > > You have not added the squid.conf line required for Squid to receive the > iptables packets from NAT. > <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect> > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users Thanks. Doing the following solved the problem: "You have not added the squid.conf line required for Squid to receive the > iptables packets from NAT." I think that is why Squid was not able to infer the packets received on port 3128. -- Regards, Varun _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
