• Willkommen im Linux Club - dem deutschsprachigen Supportforum für GNU/Linux. Registriere dich kostenlos, um alle Inhalte zu sehen und Fragen zu stellen.

Probleme mit Squid als transparentem Proxy

raab

Newbie
Hallo,

bei uns soll künftig der Squid als transparenter Proxy eingesetzt werden. Die Anfragen der Clients werden mittels Policy-Based Routing an den Squid weitergeleitet.
Der Squid ist als transparenter Proxy konfiguriert
http_port 3128 transparent

Die Ports werden wie folgt umgesetzt
iptables -t nat -A PREROUTING -s "IP-Squid" -p tcp --dport -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

Problem: Die Anfragen kommen im gehen von Squid jetzt auch auf port 3128 raus.

Aus dem log:
192.168.13.101 TCP_MISS/503 1479 GET http://www.XXYY:3128/ - DIRECT/IPXXYY text/html


ein iptables -L -t nat ergibt
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.13.245 anywhere tcp dpt:http
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination



Kann mir jemand sagen wo der Fehler ist?

Gruß,
Joachim Raab
 

Stefan Staeglich

Advanced Hacker
Also, der Squid leitet Anfragen an Port 3128 weiter, so daß er also z.B. versucht www.google.de:3128 zu liefern? Ursache wird dann wohl die fehlende Interface-Angabe sein.

Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Du mußt mit der Option -i die Netzwerkkarte, die fürs LAN zuständig ist, angeben
 
OP
R

raab

Newbie
Vielen Dank für deine schnelle Antwort.
Das Verhalten ist aber das Gleiche. Auch mit dem Zusatz -i eth0.

Hast du vielleicht noch eine Idee?

Gruß,
Joachim
 
OP
R

raab

Newbie
Also eth0 stimmt.

Wir nutzen Squid 2.6 /3.
Da wird die transparenz über den Eintrag
http_port 3128 transparent
eingestellt. Alles andere entfällt.

Die iptables ist
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Das Log gibt folgendes aus
1210339701.020 614 192.168.13.101 TCP_MISS/503 1477 GET http://www.ard.de:3128/ - DIRECT/212.23.33.7 text/html
1210339754.102 180026 192.168.13.101 TCP_MISS/504 1478 GET http://www.n-tv.de:3128/ - DIRECT/217.27.2.150 text/html

Ich komme einfach nicht weiter.
 
OP
R

raab

Newbie
# WELCOME TO SQUID 2.6.STABLE2
# ----------------------------

# NETWORK OPTIONS
# -----------------------------------------------------------------------------


http_port 3128 transparent
icp_port 3130
udp_incoming_address 0.0.0.0
udp_outgoing_address 255.255.255.255
# TAG: no cache
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy lru
memory_replacement_policy lru
cache_dir ufs /usr/local/squid/var/cache 100 16 256
access_log /usr/local/squid/var/logs/access.log squid
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log /usr/local/squid/var/logs/store.log
emulate_httpd_log off
log_ip_on_direct on
mime_table /usr/local/squid/etc/mime.conf
log_mime_hdrs off
pid_filename /usr/local/squid/var/logs/squid.pid
debug_options ALL,1
log_fqdn off
client_netmask 255.255.255.255
# OPTIONS FOR EXTERNAL SUPPORT PROGRftp_user Squid@
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
ftp_telnet_protocol on
dns_retransmit_interval 5 seconds
dns_timeout 2 minutes
dns_defnames off
dns_nameservers 192.168.13.100
hosts_file /etc/hosts
unlinkd_program /usr/local/squid/libexec/unlinkd
# TAG: auth_param
# OPTIONS FOR TUNING THE CACHE
wais_relay_port 0
request_header_max_size 20 KB
request_body_max_size 0 KB

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95

# TAG: read_ahead_gap buffer-size
# The amount of data the cache will buffer ahead of what has been
# sent to the client when retrieving an object from another server.
#
#Default:
# read_ahead_gap 16 KB
negative_ttl 5 minutes
positive_dns_ttl 6 hours
negative_dns_ttl 1 minute
range_offset_limit 0 KB

# TAG: collapsed_forwarding (on|off)
# This option enables multiple requests for the same URI to be
# processed as one request. Normally disabled to avoid increased
# latency on dynamic content, but there can be benefit from enabling
# this in accelerator setups where the web servers are the bottleneck
# and reliable and returns mostly cacheable information.
#
#Default:
# collapsed_forwarding off

# TAG: refresh_stale_hit (time)
# This option changes the refresh algorithm to allow concurrent
# requests while an object is being refreshed to be processed as
# cache hits if the object expired less than X seconds ago. Default
# is 0 to disable this feature. This option is mostly interesting
# in accelerator setups where a few objects is accessed very
# frequently.
#
#Default:
# refresh_stale_hit 0 seconds


# TIMEOUTS
forward_timeout 4 minutes
connect_timeout 1 minute
peer_connect_timeout 30 seconds
read_timeout 15 minutes
request_timeout 5 minutes
persistent_request_timeout 1 minute
client_lifetime 1 day
half_closed_clients on
pconn_timeout 120 seconds
ident_timeout 10 seconds
shutdown_lifetime 30 seconds
# ACCESS CONTROLS
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# TAG: http_access

#Recommended minimum configuration:

http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost


# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENT

acl port80 port 80
acl port443 port 443
acl port21 port 21

acl gruppe1 arp "/usr/local/squid/etc/gruppe1.txt" #Internet
acl our_network src 192.168.13.0/24 #DE Cafe

acl verboten url_regex -i "/usr/local/squid/etc/verboten.txt" #speziell verboten
# acl erlaubt url_regex -i "/usr/local/squid/etc/erlaubt.txt" #speziell erlaubt
# acl ausnahme url_regex -i "/usr/local/squid/etc/ausnahme.txt" #ausnahme zu verboten

http_access allow our_network
http_access deny !gruppe1
http_access deny verboten
http_access allow gruppe1
http_access allow our_network port443
http_access allow our_network port80


# And finally deny all other access to this proxy
http_access deny all
http_reply_access allow all
#
#Recommended minimum configuration:
#
# Insert your own rules here.
#
#
# and finally allow by default
http_reply_access allow all
#icp_access deny all
icp_access allow all
miss_access allow all
ident_lookup_access deny all
reply_header_max_size 20 KB
reply_body_max_size 0 allow all
log_access allow all

# ADMINISTRATIVE PARAMETERS
visible_hostname squid.cafe
cache_mgr x@y.de
mail_program mail
cache_effective_user squid
cache_effective_group squid

# TAG: httpd_suppress_version_string on|off
# Suppress Squid version string info in HTTP headers and HTML error pages.
#
#Default:
# httpd_suppress_version_string off
umask 027
# OPTIONS FOR THE CACHE REGISTRATION SERVICE
# HTTPD-ACCELERATOR OPTIONS
httpd_accel_no_pmtu_disc off

dns_testnames microsoft.com
logfile_rotate 14
tcp_recv_bufsize 0 bytes
memory_pools on
memory_pools_limit 5 MB
forwarded_for on
log_icp_queries on
icp_hit_stale off
minimum_direct_hops 4
minimum_direct_rtt 400
store_avg_object_size 13 KB
store_objects_per_bucket 20
client_db on
netdb_low 900
netdb_high 1000
netdb_ping_period 5 minutes
query_icmp off
test_reachability off
buffered_logs off
reload_into_ims off
icon_directory /usr/local/squid/share/icons
global_internal_static on
short_icon_urls off
error_directory /usr/local/squid/share/errors/German
maximum_single_addr_tries 1
retry_on_error off
# DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option)
 

Stefan Staeglich

Advanced Hacker
Die Option kannte ich gar nicht. Aber wie es scheint sollte diese eigentlich ausreichen. Aber setzt den Kram mal rein:
Code:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Und entferne dann besser den Zusatz transparent.
 
OP
R

raab

Newbie
Hallo,

wie erwartet nimmt er die 4 Einträge gar nicht erst an "unrecognized".
Hat noch jemand eine Idee?
Muss Squid evtl. mit einer speziellen Erweiterung compiliert werden?
 
Oben