Re: [squid-users] WCCP transparent proxy

From: nipun_mlist Assam <nipunmlist_at_gmail.com>
Date: Wed, 12 Oct 2011 20:04:52 +0530

Saleh,

I locally fixed the issue for my work. Squid has a small bug there, it
doesn't spoof the client IP. I will send you the changed file.

Regards,
Nipun

On Wed, Oct 12, 2011 at 6:36 PM, Saleh Madi <saleh.madi_at_hadara.ps> wrote:
> Hi,
>
> Since month I try to get the Client IP spoofing to working but no success,
> I have goggled all  FORUMS in the web but no success, the TPROXY
> configuration work but the Client IP spoofing doesn't work (kernel: 2.6.37
> with debian squeeze and libcap2), Why does this problem occurs with all
> users. Many of them are complaining about this problem without any
> solutions.
> Is there a trick. I need an obvious solution to fix this problem.
> I hope we can solve it to be helpful to other users.
>
> Many thanks and Best Regards,
> Saleh
>
>
>> On 12/10/11 22:19, nipun_mlist Assam wrote:
>>> On Wed, Oct 12, 2011 at 11:05 AM, Amos Jeffries<squid3_at_treenet.co.nz>
>>> wrote:
>>>> On 12/10/11 17:33, nipun_mlist Assam wrote:
>>>>>
>>>>> This may be relevant to this question.
>>>>> While trying to use squid for transparent proxy (tproxy ) on linux
>>>>> (kerne 2.6.39 with centos 6.0), I noticed the following
>>>>>
>>>>> 1. Client IP spoofing doesn't work (but for our work, this requirement
>>>>> was a must).
>>>>
>>>> In what way?
>>>
>>> The root web server was seeing the IP of the squid box, not of the
>>> client machine for all http requests. I.e. the web server will see
>>> that the HTTP requests are coming from the squid box. Our requirement
>>> is that, both the web servers and client machines should not be aware
>>> of a squid proxy sitting in between and hence they should not see the
>>> IP of squid box in HTTP related traffics.
>>>
>>> squid.conf is as shown below (I am pasting only http_port related
>>> lines):
>>>
>>> .
>>> .
>>> http_port  85 tproxy
>>> http_port  86 ssl-bump cert=/extra/squid/etc/Centos6.0.pem tproxy
>>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>>> .
>>> .
>>>
>>>
>>> IPTABLES was configured as shown below (port 80 traffics are forwarded
>>> to port 85 where squid "expects" HTTP traffic, and port 443 traffic
>>> are forwarded to port 86 where "HTTPS" traffic are expected):
>>>
>>>   iptables -t mangle -N DIVERT
>>>   iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>   iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>   iptables -t mangle -A DIVERT -j ACCEPT
>>>   ip rule add fwmark 1 lookup 100
>>>   ip route add local 0.0.0.0/0 dev lo table 100
>>>   iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
>>> --tproxy-mark 0x1/0x1 --on-port 85
>>>   iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY
>>> --tproxy-mark 0x1/0x1 --on-port 86
>>>
>>>
>>>
>>>>
>>>>> 2. Squid with tproxy doesn't work with HTTPS traffic.
>>>>
>>>> In what way?
>>>>
>>>> HTTP:
>>>>   http_port 1 tproxy ...
>>>>
>>>> HTTPS:
>>>>   https_port 2 tproxy ...
>>>>
>>>>>
>>>
>>> We cannot use https_port here. Because, we are seeing the traffic from
>>> squid to the root webserver goes as http traffic after that.
>>
>> That is the bug then. Outgoing traffic needs to check the request->flags
>> to identify tproxy or intercepted. Also checking request->protocol for
>> PROTO_HTTPS requests to re-encrypt.
>>
>> Amos
>> --
>> Please be using
>>    Current Stable Squid 2.7.STABLE9 or 3.1.15
>>    Beta testers wanted for 3.2.0.12
>>
>
>
>
Received on Wed Oct 12 2011 - 14:34:58 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 12 2011 - 12:00:02 MDT