Re: [squid-users] WCCP transparent proxy

From: Saleh Madi <saleh.madi_at_hadara.ps>
Date: Wed, 12 Oct 2011 15:06:01 +0200 (IST)

Hi,

Since month I try to get the Client IP spoofing to working but no success,
I have goggled all FORUMS in the web but no success, the TPROXY
configuration work but the Client IP spoofing doesn't work (kernel: 2.6.37
with debian squeeze and libcap2), Why does this problem occurs with all
users. Many of them are complaining about this problem without any
solutions.
Is there a trick. I need an obvious solution to fix this problem.
I hope we can solve it to be helpful to other users.

Many thanks and Best Regards,
Saleh

> On 12/10/11 22:19, nipun_mlist Assam wrote:
>> On Wed, Oct 12, 2011 at 11:05 AM, Amos Jeffries<squid3_at_treenet.co.nz>
>> wrote:
>>> On 12/10/11 17:33, nipun_mlist Assam wrote:
>>>>
>>>> This may be relevant to this question.
>>>> While trying to use squid for transparent proxy (tproxy ) on linux
>>>> (kerne 2.6.39 with centos 6.0), I noticed the following
>>>>
>>>> 1. Client IP spoofing doesn't work (but for our work, this requirement
>>>> was a must).
>>>
>>> In what way?
>>
>> The root web server was seeing the IP of the squid box, not of the
>> client machine for all http requests. I.e. the web server will see
>> that the HTTP requests are coming from the squid box. Our requirement
>> is that, both the web servers and client machines should not be aware
>> of a squid proxy sitting in between and hence they should not see the
>> IP of squid box in HTTP related traffics.
>>
>> squid.conf is as shown below (I am pasting only http_port related
>> lines):
>>
>> .
>> .
>> http_port 85 tproxy
>> http_port 86 ssl-bump cert=/extra/squid/etc/Centos6.0.pem tproxy
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> .
>> .
>>
>>
>> IPTABLES was configured as shown below (port 80 traffics are forwarded
>> to port 85 where squid "expects" HTTP traffic, and port 443 traffic
>> are forwarded to port 86 where "HTTPS" traffic are expected):
>>
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>> iptables -t mangle -A DIVERT -j ACCEPT
>> ip rule add fwmark 1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>> --tproxy-mark 0x1/0x1 --on-port 85
>> iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY
>> --tproxy-mark 0x1/0x1 --on-port 86
>>
>>
>>
>>>
>>>> 2. Squid with tproxy doesn't work with HTTPS traffic.
>>>
>>> In what way?
>>>
>>> HTTP:
>>> http_port 1 tproxy ...
>>>
>>> HTTPS:
>>> https_port 2 tproxy ...
>>>
>>>>
>>
>> We cannot use https_port here. Because, we are seeing the traffic from
>> squid to the root webserver goes as http traffic after that.
>
> That is the bug then. Outgoing traffic needs to check the request->flags
> to identify tproxy or intercepted. Also checking request->protocol for
> PROTO_HTTPS requests to re-encrypt.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.15
> Beta testers wanted for 3.2.0.12
>
Received on Wed Oct 12 2011 - 13:08:02 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 12 2011 - 12:00:02 MDT