Re: [squid-users] Re: Three questions about Squid configuration

From: Nicol�s <nicolas_at_devels.es>
Date: Wed, 16 Jul 2014 13:53:46 +0100

El 16/07/2014 13:50, Nicol�s escribi�:
> El 16/07/2014 12:31, Amos Jeffries escribi�:
>> On 16/07/2014 9:23 a.m., Nicol�s wrote:
>>> Thanks! That would indeed cover the first issue :-) I initially used
>>> redirect because somewhere I read that it's not a good idea forwarding
>>> the traffic directly to the port where squid listens and it should be
>>> pointed to another port instead and then redirected.
>> Sounds like you read one of my explanations and did not quite get it.
>> Hope this helps clarfy:
>>
>> That is all true regarding *intercepted* port 80 traffic. The traffic
>> which is actually destined to a webserver directly.
>>
>> For traffic such as your testing with (CONNECT etc) on non-80 ports the
>> traffic is destined to a proxy. So the NAT IP addressing does not matter
>> and the security checks on the interception do more harm than good.
>>
>> This is why you should keep the ports separate. Because the traffic on
>> port 80 and the traffic destined to a proxy are quite different beasts.
>
> Ok, now it's crystal clear. However, trying to reproduce the
> configuration on the link that babajaga proposed, I get a loop on the
> squid side on any link opened from the client side. On the client
> side, I just added the OUTPUT DNAT iptables rule to make it match the
> 3128 IP and port of the remote server. On the server side there are
> not iptables rules, just the -j ACCEPT policy for the 3128 port, which
> is the intercept port.
>
> 2014/07/15 23:09:46| WARNING: Forwarding loop detected for:
> GET /favicon.ico HTTP/1.1
> Host: www.google.es
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101
> Firefox/24.0
> Accept: image/png,image/*;q=0.8,*/*;q=0.5
> Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
> Accept-Encoding: gzip, deflate
> Cookie:
> PREF=ID=119a6e25e6eccb3b:U=95e37afd611b606e:FF=0:TM=1404500940:LM=1404513627:S=r7E-Xed2muOOp-ay;
> NID=67=M5geOtyDtp5evLidOfam1uzfhl6likehxjXo7KcamK8c5jXptfx9zJc-5L7jhvYvnfTvtXYJ3yza7cE8fRq2x0iyVEHN9Pn2hz9urrC_Qt_xNH6IQCoT-3-eXTwb2h4f;
> OGPC=5-25:
> Via: 1.1 homeSecureProxy (squid/3.3.8)
> X-Forwarded-For: 77.231.176.236
> Cache-Control: max-age=259200
> Connection: keep-alive
>
> 1405462555.918 0 SERVER-IP TCP_MISS/403 4285 GET
> http://google.es/ - HIER_NONE/- text/html
> 1405462555.918 1 CLIENT-IP TCP_MISS/403 4404 GET
> http://google.es/ - HIER_DIRECT/CLIENT-IP text/html
>

Sorry, this last line should be:

1405462555.918 1 CLIENT-IP TCP_MISS/403 4404 GET http://google.es/
- HIER_DIRECT/SERVER-IP text/html

> I just replaced the "SERVER-IP" and "CLIENT-IP" IPs.
>
> Is there any extra rules necessary on the server side to make the
> intercept mechanism work? I tried debugging it with tcpdump but I
> can't see anything strange.
>
> Thanks.
>
>>> However, working as
>>> this, it would be enough to set a firewall policy to permit just the
>>> client range of IPs. Let's see whether I can solve the second issue
>>> too...
>>>
>> Yes, if I am understanding you that firewall policy should be needed
>> regardless of whether you are dealing with explicitly configured clients
>> or intercepting the port 80 traffic.
>>
>> Amos
>>
>
Received on Wed Jul 16 2014 - 12:53:51 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 16 2014 - 12:00:18 MDT