Re: [squid-users] HTTPS & transparent proxy

From: Henrik Nordstrom <[email protected]>
Date: Sat, 11 Mar 2006 02:00:24 +0100

fre 2006-03-10 klockan 16:54 -0800 skrev Daniel EPEE LEA:

> 1- Loaded ip_gre module in the kernel ( I didn't use ip_wccp module)

Did you also create the needed GRE tunnel on the linux box? If not
ip_gre won't know what to do with the received GRE packets carrying the
redirected traffic..

the purpose of this gre tunnel is access control, authorizing the router
to send encapsulated packets via the Linux box in this manner.

> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> dpt:80 redir ports 3128

You should probably add a few rules above this accepting traffic to the
server itself. Not strictly needed, but makes life a little saner if you
indend to run a web server there for cachemgr.cgi, proxy.pac or
whatever..

> 3- My /etc/sysctl.conf
> # Controls IP packet forwarding
> net.ipv4.ip_forward = 1

Ok.

> # Controls source route verification
> net.ipv4.conf.default.rp_filter = 0

Ok.

> I can see through tcpdump -i bond0 port 2048
> that all the http packets going outside my network are sent by the
> router to the squid server, but they are not processed by squid.
> access.log is empty.

port 2048 is just the WCCP control channel where the proxy and router
agrees on what the traffic should be redirected. The actual redirection
is done using a form of GRE.

Regards
Henrik

Received on Fri Mar 10 2006 - 18:00:32 MST

This archive was generated by hypermail pre-2.1.9 : Sat Apr 01 2006 - 12:00:03 MST