Here is a message and a patch from a discussion I had with Adrian Chadd
<adrian@squid-cache.org> about Linux 2.4 Transparent Proxy support. Any
feedback would be appreciated.
On Thu, 23 Nov 2000, Adrian Chadd wrote:
> Is this a non-modified squid source? If it is, I can bounce this to
> the squid-dev list and get someone to look at it.
I'm a moron. The DNS lookup was failing because I had the following lines
in my squid.conf, from the Squid FAQ:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
There is one other VERY important line:
httpd_accel_single_host off
Of course Squid was trying to rewrite any transparent proxy request to the
host "virtual". I feel stupid now. Can this be changed in the
FAQ/documentation somewhere? However, transparent proxying will only work
out of the box under Linux 2.4 with a Host header. To support clients that
do not provide it, you will need my attached patch.
About the patch:
- The change is made in client_side.c so the extra system call (getsockopt)
is only made if it is needed. The alternative is to change conn_accept and
make the extra system call on every request.
- I made the required changes to configure.in and include/autoconf.h.in to
implement the --enable-linux-netfilter command line switch. I think that
the test in configure.in should probably enable this option automatically
if it finds the required header file (linux/netfilter_ipv4.h), so that
anyone compiling Squid on Linux 2.4 (or with the Linux 2.4 kernel headers)
automatically gets a working transparent proxy. It should probably also
print a warning if it is being configured on Linux 2.4 without that header.
Unfortunately, I don't know enough about automake to do it.
Here is the patch:
diff -ur --minimal squid-2.4.DEVEL4.orig/configure.in
squid-2.4.DEVEL4/configure.in
--- squid-2.4.DEVEL4.orig/configure.in Tue Jul 18 02:16:19 2000
+++ squid-2.4.DEVEL4/configure.in Thu Nov 23 11:55:15 2000
@@ -584,6 +584,17 @@
fi
])
+dnl Enable Linux Netfilter (2.4) Transparent Proxy
+AC_ARG_ENABLE(linux-netfilter,
+[ --enable-linux-netfilter
+ Enable Transparent Proxy support for Linux
2.4.],
+[ if test "$enableval" = "yes" ; then
+ echo "Linux-Netfilter Transparent Proxy enabled"
+ AC_DEFINE(LINUX_NETFILTER)
+ LINUX_NETFILTER="yes"
+ fi
+])
+
dnl Enable Leak Finding Functions
AC_ARG_ENABLE(leakfinder,
[ --enable-leakfinder
@@ -798,6 +809,7 @@
ip_nat.h \
libc.h \
limits.h \
+ linux/netfilter_ipv4.h \
malloc.h \
math.h \
memory.h \
@@ -1255,6 +1267,26 @@
if test "$IPF_TRANSPARENT" = "no" ; then
echo "WARNING: Cannot find necessary IP-Filter header files"
echo " Transparent Proxy support WILL NOT be enabled"
+ sleep 10
+fi
+
+dnl Linux-Netfilter support requires Linux 2.4 kernel header files.
+dnl Shamelessly copied from above
+if test "$LINUX_NETFILTER" ; then
+ AC_MSG_CHECKING(if Linux 2.4 kernel header files are installed)
+ # hold on to your hats...
+ if test "$ac_cv_header_linux_netfilter_ipv4_h" = "yes"; then
+ LINUX_NETFILTER="yes"
+ AC_DEFINE(LINUX_NETFILTER, 1)
+ else
+ LINUX_NETFILTER="no"
+ AC_DEFINE(LINUX_NETFILTER, 0)
+ fi
+ AC_MSG_RESULT($LINUX_NETFILTER)
+fi
+if test "$LINUX_NETFILTER" = "no" ; then
+ echo "WARNING: Cannot find necessary Linux 2.4 kernel header files"
+ echo " Linux 2.4 Transparent Proxy support WILL NOT be
enabled"
sleep 10
fi
diff -ur --minimal squid-2.4.DEVEL4.orig/include/autoconf.h.in
squid-2.4.DEVEL4/include/autoconf.h.in
--- squid-2.4.DEVEL4.orig/include/autoconf.h.in Tue Jul 18 02:16:39 2000
+++ squid-2.4.DEVEL4/include/autoconf.h.in Thu Nov 23 11:54:41 2000
@@ -229,6 +229,11 @@
#undef IPF_TRANSPARENT
/*
+ * Enable support for Transparent Proxy on Linux 2.4 systems
+ */
+#undef LINUX_NETFILTER
+
+/*
* Enable code for assiting in finding memory leaks. Hacker stuff only.
*/
#undef USE_LEAKFINDER
Only in squid-2.4.DEVEL4: index.html
Only in squid-2.4.DEVEL4: squid
Only in squid-2.4.DEVEL4: squid-2.4.DEVEL4.orig
Only in squid-2.4.DEVEL4/src: SciTE.properties
diff -ur --minimal squid-2.4.DEVEL4.orig/src/client_side.c
squid-2.4.DEVEL4/src/client_side.c
--- squid-2.4.DEVEL4.orig/src/client_side.c Tue Jul 18 02:16:41 2000
+++ squid-2.4.DEVEL4/src/client_side.c Thu Nov 23 11:59:27 2000
@@ -62,6 +62,9 @@
#endif
#endif
+#if LINUX_NETFILTER
+#include <linux/netfilter_ipv4.h>
+#endif
#if LINGERING_CLOSE
@@ -2227,6 +2230,9 @@
struct natlookup natLookup;
static int natfd = -1;
#endif
+#if LINUX_NETFILTER
+ size_t sock_sz = sizeof(conn->me);
+#endif
if ((req_sz = headersEnd(conn->in.buf, conn->in.offset)) == 0) {
debug(33, 5) ("Incomplete request, waiting for end of headers\n");
@@ -2402,6 +2408,11 @@
inet_ntoa(natLookup.nl_realip),
vport, url);
#else
+#if LINUX_NETFILTER
+ /* If the call fails the address structure will be unchanged */
+ getsockopt(conn->fd, SOL_IP, SO_ORIGINAL_DST, &conn->me, &sock_sz );
+ debug(33, 5) ("parseHttpRequest: addr = %s",
inet_ntoa(conn->me.sin_addr) );
+#endif
snprintf(http->uri, url_sz, "http://%s:%d%s",
inet_ntoa(http->conn->me.sin_addr),
vport, url);
-- Evan Jones - ejones@netwinder.org Technology with Attitude - Rebel.com -- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Tue Nov 28 2000 - 08:36:54 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:37 MST