Quantcast

Squid tproxy net unreachable

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Squid tproxy net unreachable

Abi Askushi
Hi,

I have setup squid (v 3.1.20) with tproxy and relevant iptables and policy routes. It is functioning ok except one thing, squid is not able to redirect to deny page (located on same device) and it gives error "101 network unreachable". I have squidguard in the setup as a helper program and squidguard is doing the redirection to a page on localhost. With squid in intercept mode this redirection to deny page is ok. I have also disabled rpfilter in kernel. I may provide more details on configs if needed.

Did anyone encounter this? Any ideas?

Thanx,
Alex


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid tproxy net unreachable

Amos Jeffries
Administrator
On 14/05/17 01:59, Abi Askushi wrote:

> Hi,
>
> I have setup squid (v 3.1.20) with tproxy and relevant iptables and
> policy routes. It is functioning ok except one thing, squid is not
> able to redirect to deny page (located on same device) and it gives
> error "101 network unreachable". I have squidguard in the setup as a
> helper program and squidguard is doing the redirection to a page on
> localhost. With squid in intercept mode this redirection to deny page
> is ok. I have also disabled rpfilter in kernel. I may provide more
> details on configs if needed.
>
> Did anyone encounter this? Any ideas?
>

It is not possible to use a global IP address (eg the spoofed client IP)
to connect to any machines lo (localhost) interface.

So Squid is not able to perform TPROXY spoofing to fetch the page your
SG is *re-writing* (not redirecting) the URL to. If you actually are
redirecting then the client cannot connect to the web server running in
*its* localhost interface.


PS. please upgrade, no up to date OS releases I'm aware of still ship
Squid-3.1.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid tproxy net unreachable

Abi Askushi
Thank you Amos.

I have the following at squidguard:

    default {
        pass     !porn !adv !drugs !custom any
        redirect http://localhost:10080/error.php
    }

Which when squid in intercept mode the user is "redirected" to error page. I'm not sure if squidguard is rewriting or redirecting.
With squid in tproxy mode the user gets the squid error page "The Requested URL cannot be retrieved: network unreachable 101 ... "

I did replace this squid error page with my custom and it can be displayed to user, though this means that I will not be able to discern connections errors from deny errors.
I would prefer not to do this dirty trick and have a more clean approach.
Attempts to resolve it through routing table hacks were not successful also.






On Sun, May 14, 2017 at 3:16 PM, Amos Jeffries <[hidden email]> wrote:
On 14/05/17 01:59, Abi Askushi wrote:
Hi,

I have setup squid (v 3.1.20) with tproxy and relevant iptables and policy routes. It is functioning ok except one thing, squid is not able to redirect to deny page (located on same device) and it gives error "101 network unreachable". I have squidguard in the setup as a helper program and squidguard is doing the redirection to a page on localhost. With squid in intercept mode this redirection to deny page is ok. I have also disabled rpfilter in kernel. I may provide more details on configs if needed.

Did anyone encounter this? Any ideas?


It is not possible to use a global IP address (eg the spoofed client IP) to connect to any machines lo (localhost) interface.

So Squid is not able to perform TPROXY spoofing to fetch the page your SG is *re-writing* (not redirecting) the URL to. If you actually are redirecting then the client cannot connect to the web server running in *its* localhost interface.


PS. please upgrade, no up to date OS releases I'm aware of still ship Squid-3.1.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...