Search squid archive

Re: IPv6 and TPROXY

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I got it working partially, some servers (URLs) worked, others not ...
the not working host resultet in 503 ...

as I don't have any knowledge where to look, I give up

it would have been great, if it had worked

@Amos: your question about firewall rules gave me a hint, but
I can't say why only a few servers (URLs) worked ...

Walter


On 20.08.2017 02:08, Eliezer Croitoru wrote:
You can use tproxy but you will need to somehow make it so squid will do "NAT" instead of only tproxy or to findout what is causing the issue to happen in the network layer of the connection.
It can be a simple iptables rule which block traffic or another issue like rp_filter.
If you are up to it I will be willing to try and setup a more advanced ipv6 setup that might help to inspect the issue.

In the mean while I am missing one piece which maybe Amos can help with:
Is it possible to use tproxy for interception but force a non tproxy connection on the outgoing traffic?
I wrote such a proxy myself and I believe that there might be another solution to if nothing else would be found.

The other idea would be:
Use haproxy infront of the squid proxy to intercept traffic in the tcp level and pass to squid somehow the request via a proxy protocol enabled port.
I have used it in the past and it should be fine for port 80 but for 443 it's a whole other thing.

All The Bests,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx



-----Original Message-----
From: Walter H. [mailto:Walter.H@xxxxxxxxxxxxxxxxx]
Sent: Saturday, August 19, 2017 23:23
To: Eliezer Croitoru<eliezer@xxxxxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  IPv6 and TPROXY

Hello,

not really, I must live with the fact, that I can't configure tproxy, as
I can't update any kernel ...

Walter

On 19.08.2017 22:09, Eliezer Croitoru wrote:
Any progress with the issue?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx



-----Original Message-----
From: Walter H. [mailto:Walter.H@xxxxxxxxxxxxxxxxx]
Sent: Sunday, August 13, 2017 21:31
To: Eliezer Croitoru<eliezer@xxxxxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  IPv6 and TPROXY

Hello Eliezer

yes, because all my Linux systems are CentOS 6 ...

the router/firewall has a rule

-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
-j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7
-A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
-j REJECT

any windows host inside this ipv6prefix has configured a proxy, but for
some reason e.g. there is HTTP traffic of CRLs or OCSP
that doesn't go through to the configured proxy, and is blocked ...
for this I need this TPROXY ...
(only IPv6 needs to be solved, IPv4 already runs perfekt)

Thanks,
Walter




<<attachment: smime.p7s>>

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux