Search squid archive

Re: Need help to solve problem with Squid 3.5.26 SSL Bump setting & iptables rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear Eliezer

i had created new iptables configuration and it works fine for an hour (attached)

both transparent proxy and with setting proxy clients accessing internet through squid

but after every hour the service gets crash or unstable. and need to restart squid and iptables services to work

i found the following error in access.log when service gets disturb. I don't know the reason and such traffic what it is about and how to resolve it. when we restart server, the services again start fine and internet works.

1502858587.658 114260 192.168.2.162 TAG_NONE/503 0 CONNECT dc.services.visualstudio.com:443 - HIER_NONE/- -
1502858587.658 114260 192.168.2.162 TAG_NONE/503 0 CONNECT dc.services.visualstudio.com:443 - HIER_NONE/- -
1502858587.658 114258 192.168.5.1 TAG_NONE/503 0 CONNECT update.googleapis.com:443 - HIER_NONE/- -
1502858587.658 114252 192.168.2.125 TAG_NONE/503 0 CONNECT update.googleapis.com:443 - HIER_NONE/- -
1502858587.658 114256 192.168.2.188 TAG_NONE/503 0 CONNECT en.wikibooks.org:443 - HIER_NONE/- -
1502858587.658 114256 192.168.2.188 TAG_NONE/503 0 CONNECT en.wikibooks.org:443 - HIER_NONE/- -
1502858587.658 114256 192.168.2.188 TAG_NONE/503 0 CONNECT en.wikibooks.org:443 - HIER_NONE/- -
1502858587.658 114256 192.168.2.188 TAG_NONE/503 0 CONNECT en.wikibooks.org:443 - HIER_NONE/-



On Tue, Aug 1, 2017 at 5:17 PM, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote:
Hey,

The iptables rules doesn't make any sense:
IPTABLES SETTING

# Generated by iptables-save v1.4.7 on Mon Jul 31 05:43:29 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8330155:414444635]
-A INPUT -i eth1 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
-A INPUT -j DROP
COMMIT
# Completed on Mon Jul 31 05:43:29 2017

There is no PREROUTING in the filter table...
Take a peek at:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect#iptables_configuration

and also I suggest you to use intercept ports such as:
13128 (for http, port 80)
13129 ( for https, port 443)

And not port 3130.

Let me know if it helps with something.

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx


From: squid-users [mailto:squid-users-bounces@lists.squid-cache.org] On Behalf Of Arsalan Hussain
Sent: Tuesday, August 1, 2017 12:45
To: squid-users@lists.squid-cache.org
Subject: Need help to solve problem with Squid 3.5.26 SSL Bump setting & iptables rules

Dear all,
i have configured squid 3.5.26 SSL bump on CENTOS 6.2 to share internet and delay pools to control bandwidth (my configuration files attached)

Problem what i facing and not understanding the issue.

1- clients who send request-  proxy setting working fine with this directive http_port 3128
 -  Delay pools working fine, internet browsing to all clients using proxy is working.

2- When transparent proxy clients sent http request via iptables ... REDIRECT.
http_port 3129 intercept
OR
When transparent proxy clients sent https request via iptables ... REDIRECT.
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.pem
I observed the problem in both cases when client sent request through IPTABLES Squid service got failed. When i stop iptables and start squid then it start working.
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130

3-  my objective to setup squid.
     *  Internet sharing to Proxy setting configured clients.
     *  Internet sharing to Proxy Transparent clients (Those request directed to server from ip route 0.0.0.0 0.0.0.0 Proxy-IP from CISCO Network for HTTP and HTTPS Requests without configuring proxy setting (coming from wireless).
     *  delay pools for HTTP and HTTPS both browsing for proxy & transparent clients.


Kindly if somebody help me to fix my problems and if share any setting which works. I had added ssl bump certificate because the service was crashing again and again without any reason after a few days or sometime on same day.



--
With Regards,

Arsalan Hussain
If you don't fight for what you want, don't cry for what you lose.




--
With Regards,


Arsalan Hussain
Assistant Director, Networks & Information System

PRESTON UNIVERSITY
Add: Plot: 85, Street No: 3, Sector H-8/1, Islamabad, Pakistan
Cell: +92-322-5018611
UAN: (51) 111-707-808 (Ext: 443)

Don't expect to see a change if you don't make one.
# Generated by iptables-save v1.4.7 on Mon Apr 10 06:06:53 2017


*filter
:
INPUT DROP [0:0]
:
FORWARD ACCEPT [0:0]:
OUTPUT ACCEPT [0:0]:
-A INPUT -i lo -j ACCEPT 

-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A INPUT -i eth1 -j ACCEPT 


-A FORWARD -i eth1 -j ACCEPT 

-A OUTPUT -o lo -j ACCEPT 

-A OUTPUT -o eth1 -j ACCEPT 

COMMIT
# 

Completed on Mon Apr 10 06:06:53 2017
# 
Generated by iptables-save v1.4.7 on Mon Apr 10 06:06:53 2017

*nat
:
PREROUTING ACCEPT [96:4818]
:POSTROUTING ACCEPT [1:108]
:OUTPUT ACCEPT [1:108]

-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.4.12:3129 

-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A POSTROUTING -o eth0 -j MASQUERADE 

COMMIT


# Completed on Mon Apr 10 06:06:53 2017
# Generated by iptables-save v1.4.7 on Mon Apr 10 06:06:53 2017

*mangle
:PREROUTING ACCEPT 
[169:10596]

:INPUT ACCEPT [164:10396]
:
FORWARD ACCEPT [0:0]
:
OUTPUT ACCEPT [138:8328]
:
POSTROUTING ACCEPT [138:8328]
COMMIT
# Completed on Mon Apr 10 06:06:53 2017

Attachment: Iptables rule new.png
Description: PNG image

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux