Re: [squid-users] WCCP transparent proxy

From: nipun_mlist Assam <nipunmlist_at_gmail.com>
Date: Wed, 12 Oct 2011 10:03:55 +0530

This may be relevant to this question.
While trying to use squid for transparent proxy (tproxy ) on linux
(kerne 2.6.39 with centos 6.0), I noticed the following

1. Client IP spoofing doesn't work (but for our work, this requirement
was a must).
2. Squid with tproxy doesn't work with HTTPS traffic.

I made fixes for both the issues and then above problems were solved.
I made an assumption that traffic with destination port 443 will be
always used for HTTPs, and, that I used as an indication to switch
to SSL on squid side. Squid will transparently listen on two ports,
one of this port will be used for port 80 traffic and the other for
port 443 traffic.

I made the changes in squid 3.2.0.10 code base. I am wondering if
those fixes are already available somewhere.

Regards,
Nipun

On Thu, Oct 6, 2011 at 3:54 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On Wed, 5 Oct 2011 09:29:01 -0500, Ritter, Nicholas wrote:
>>
>> With current versions of TPROXY you should not do REDIRECTs. You should
>> do something like this:
>>
>> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>> -A DIVERT -j ACCEPT
>> -A PREROUTING -p tcp -m socket -j DIVERT
>> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip
>> <proxy server IP> --tproxy-mark 0x1/0x1
>>
>> Redirects will work in some cases, but should not be used with WCCP and
>> recent versions of TPROXY.
>>
>> My experience has been that doing a redirect alone will not always work
>> depending on the version of TPROXY/IPTABLES, and Cisco IOS.
>>
>> YMMV,
>>
>> Nick
>
> Right. Redirect is NAT. Which may not even be built into the kernel and can
> cause strange packet handling in TPROXY.
>
> TPROXY operates before NAT, so in the best case it will have no effect.
> Possibly it just erased the client IP address. That would cause traffic to
> return to Squid, but erase all benefits of TPROXY. There is no point in
> Squid spoofing itself as the source. Worst-case it just erased the
> destination address and Squid output packets silently drop down a black
> hole.
>
> Step (7) access-lists relies on the REDIRECT happening, as mentioned
> repeatedly in the TPROXY troubleshooting section, you MUST NOT rely on the
> Squid IP address value in WCCP and routing ACL rules. It wont exist on any
> TPROXY traffic.
>
> Amos
>
>
>> -----Original Message-----
>> From: Horacio H.
>
> <snip>
>>
>> 4) Add a redirect rule in iptables:
>>
>> � iptables -t nat -A PREROUTING -i gre1 -j REDIRECT --redirect-to
>> <squid-listening-port>
>>
>> 5) Make sure Squid was compiled with WCCP-v2 support.
>>
>> 6) WCCP-v2 squid's configuration:
>>
>> � wccp2_router <router-ip-address>
>>
>> 7) WCCP-v2 router's configuration:
>>
>> � access-list 160 deny � ip �host <squid-ip-address> any
>> � access-list 160 permit tcp <net> <wildcard> any eq 80
>>
>> � ip wccp version 2
>> � ip wccp web-cache redirect-list 160
>>
>> � interface FastEthernet0/0
>> � ip wccp web-cache redirect in
>>
>> Regards,
>> Horacio.
>
>
Received on Wed Oct 12 2011 - 04:34:03 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 12 2011 - 12:00:02 MDT