http_port intercept: squid 3.1.20 VS 3.5.23.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

http_port intercept: squid 3.1.20 VS 3.5.23.

Thomas Martin
Hello,

I'm having trouble to make Squid 3.5.23 work like Squid 3.1.20 does.

Here is my setup:
  <clients>     |                  <router>                      |
<squid proxy>
10.0.0.Y/24    | 10.0.0.254/24 <-> 10.100.0.254/24 |   10.100.0.100/24

The goal was to have the <squid proxy> as a transparent HTTP proxy for
all <clients>; it was achieved few years ago using Squid 3.1.20.


- <clients> have one network interface and 10.0.0.254 as default gateway

- <router> is:
-- obviously forwarding packets,
-- owning the ADSL,
-- doing the transparent redirection of <clients> to <squid proxy> using NAT:
-A PREROUTING -s 10.100.0.100 -i dmz -p tcp -m state --state NEW -m
tcp --dport 80 -j ACCEPT
-A PREROUTING -s 10.0.0.Y/32 -p tcp -m state --state NEW -m tcp
--dport 80 -j DNAT --to-destination 10.100.0.100:3128

- <squid proxy> have one network interface and 10.100.0.100 as default gateway.
Squid's configuration is quite simple:
http_access allow all
http_port 0.0.0.0:3128 intercept
cache_mgr ...
cache_mem ...
...


This is working perfectly fine with Squid 3.1.20.


But now that I have upgraded <squid proxy>  to 3.5.23 (from Debian
Wheezy to Stretch) this is not working anymore.

The test I'm using is simple: "curl  http://www.google.fr -I" from <clients>.

<clients> are getting 403 returned by <squid proxy> 3.5.23.
In Squid's logs I had: "ERROR: No forward-proxy ports configured.".
After reading Squid docs, forums, mailing, list, etc, I tried to add
another http_port:
http_access allow all
http_port 0.0.0.0:3128 intercept
http_port 0.0.0.0:8080

But it does not work either, Squid seems to loop internally with a lot
a log access_log (even for one request only).


I feel like I missed something obvious, I spent quite some time to
understand but had no luck.
Am I missing something ?

When I was reading on the web, some users claimed that I should have
two network interfaces between <router> and <squid proxy> ?
If that true, why is it working perfectly with Squid 3.1.20 ?


Any clue will be appreciated.

Thanks.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: http_port intercept: squid 3.1.20 VS 3.5.23.

Antony Stone
On Wednesday 04 October 2017 at 13:30:52, Thomas Martin wrote:

> Hello,
>
> I'm having trouble to make Squid 3.5.23 work like Squid 3.1.20 does.
>
> Here is my setup:
>   <clients>     |                  <router>                      |
> <squid proxy>
> 10.0.0.Y/24    | 10.0.0.254/24 <-> 10.100.0.254/24 |   10.100.0.100/24

> - <router> is:
> -- obviously forwarding packets,
> -- owning the ADSL,
> -- doing the transparent redirection of <clients> to <squid proxy> using
> NAT: -A PREROUTING -s 10.100.0.100 -i dmz -p tcp -m state --state NEW -m
> tcp --dport 80 -j ACCEPT
> -A PREROUTING -s 10.0.0.Y/32 -p tcp -m state --state NEW -m tcp
> --dport 80 -j DNAT --to-destination 10.100.0.100:3128

That's your problem.

You're no longer allowed to do the DNAT (or REDIRECT) on anything other than
the machine running Squid itself.

See https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect and
note the emphasis "This configuration is given for use on the squid box."

See https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute 
for how to get the packets correctly from the router to the separate Squid
server.

In summary, you need to do policy routing (or any other method at your
disposal) to get the packets from the clients to be sent to the Squid server
*without* changing their destination address (so, DNAT isn't allowed), and
then on the Squid server you use REDIRECT to send them to the Squid listening
socket.


Regards,

Antony.

--
https://tools.ietf.org/html/rfc6890 - providing 16 million IPv4 addresses for
talking to yourself.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: http_port intercept: squid 3.1.20 VS 3.5.23.

Thomas Martin
2017-10-04 13:41 GMT+02:00 Antony Stone <[hidden email]>:

>> - <router> is:
>> -- obviously forwarding packets,
>> -- owning the ADSL,
>> -- doing the transparent redirection of <clients> to <squid proxy> using
>> NAT: -A PREROUTING -s 10.100.0.100 -i dmz -p tcp -m state --state NEW -m
>> tcp --dport 80 -j ACCEPT
>> -A PREROUTING -s 10.0.0.Y/32 -p tcp -m state --state NEW -m tcp
>> --dport 80 -j DNAT --to-destination 10.100.0.100:3128
>
> That's your problem.
>
> You're no longer allowed to do the DNAT (or REDIRECT) on anything other than
> the machine running Squid itself.
>
> See https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect and
> note the emphasis "This configuration is given for use on the squid box."
>
> See https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
> for how to get the packets correctly from the router to the separate Squid
> server.
>
> In summary, you need to do policy routing (or any other method at your
> disposal) to get the packets from the clients to be sent to the Squid server
> *without* changing their destination address (so, DNAT isn't allowed), and
> then on the Squid server you use REDIRECT to send them to the Squid listening
> socket.
>
>
> Regards,
>
> Antony.
>

I see.
So between 3.1 and 3.5 Squid behavior changed and my DNAT is causing the loops.

I will take a closer look to theses URLs.

Thanks a lot for your help and very quick answer !

Regards,
Thomas.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users