[squid-users] Transparent proxy (Tproxy4)

From: Jose-Marcio Martins <Jose-Marcio.Martins_at_mines-paristech.fr>
Date: Wed, 19 Feb 2014 13:31:51 +0100

Hello,

I've configured a transparent proxy as TProxy4 (http://wiki.squid-cache.org/Features/Tproxy4).

But I don't see anything in squid access log.

* OS = Linux Fedora 20.

* Cache log says at start-up :

....
2014/02/19 12:23:53 kid1| Accepting WCCPv2 messages on port 2048, FD 11.
2014/02/19 12:23:53 kid1| Initialising all WCCPv2 lists
2014/02/19 12:23:53 kid1| HTCP Disabled.
2014/02/19 12:23:53 kid1| Squid plugin modules loaded: 0
2014/02/19 12:23:53 kid1| Adaptation support is off.
2014/02/19 12:23:53 kid1| Accepting HTTP Socket connections at local=0.0.0.0:8080 remote=[::] FD 12
flags=9
2014/02/19 12:23:53 kid1| Accepting HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 13
flags=9
2014/02/19 12:23:53 kid1| Accepting TPROXY spoofing HTTP Socket connections at local=0.0.0.0:3129
remote=[::] FD 14 flags=25
...

********************************

* The router is connected to the wccp port :

udp 0 0 194.214.158.189:2048 194.214.158.165:2048 ESTABLISHED

********************************

* iptables seems OK

# iptables -t mangle -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DIVERT
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
#

********************************
* kernel routing seems OK :

# ip -s -f inet rule
0: from all lookup local
32764: from all fwmark 0x1 lookup 100
32765: from all fwmark 0x1 lookup 100
32766: from all lookup main
32767: from all lookup default

# ip -s -f inet route
default via 194.214.158.165 dev eth0
169.254.0.0/16 dev eth0 scope link metric 1002
194.214.158.0/24 dev eth0 proto kernel scope link src 194.214.158.189
#

********************************
* squid.conf :

wccp2_router 194.214.158.165
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_assignment_method hash
wccp2_service standard 0

   I shall change wccp2_service to dynamic after, but for start-up, it
   should work, I guess.

********************************
* On the router (switch/router) we have this :

ip wccp web-cache redirect-list 120

interface Vlan16
  description Vlan Users
  ip address a.b.c.d v.w.x.y
  no ip redirects
  ip wccp web-cache redirect in

access-list 120 remark le proxy SQUID bypasse la redirection
access-list 120 deny ip host 194.214.158.207 any
access-list 120 permit tcp 192.168.16.0 0.0.0.255 any eq www
access-list 120 deny ip any any

*********************************

What more shall I look ? There's something wrong ? Any hint ?

Thanks for your help.

-- 
Received on Wed Feb 19 2014 - 12:31:59 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 19 2014 - 12:00:06 MST