You are not logged in.

Pages: 1

#1 2017-08-28 11:02:43

remlei
Member
Registered: 2017-08-28
Posts: 3

Squid Network wide transparent proxy server issue

I used to do this and it always work on other linux flavors not until arch linux

after adding a prerouting rule on my router to redirect all port 80 and 443 traffic to dedicated bare metal squid cache

this error shows up

The following error was encountered while trying to retrieve the URL: http://this.is.the.website.i.visit.on

    Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is webmaster.

I simplified the squid code for a while to make sure there's no acl related blocking access to the website but no dice, its still doesnt get through it.

squid.conf

http_access allow all
http_port 3128
http_port 3129 intercept
cache_dir ufs /var/cache/squid 2048 16 256
coredump_dir /var/cache/squid

I have the same configuration on different linux flavor (eg, any debian based linux) and it works fine.

im really lost here, the wiki doesnt have any pointers about this, the transparent configuration that is available there only work if 1. you make the traffic on the machine it self, or pass the traffic from 1 interface to another interface (or having arch as your router/firewall).

there's also a work around which is use a another some sort of dual proxy setup like dansguardian or clamav or adzapper, once you combine it with squid it all works fine, but I dont want any of that.

I also tried setting up my browser to use proxy server by manually setting up the proxy and that works fine.

my only objective here is this:

use my dd-wrt router to pass the port 80 and 443 traffic to my squid box, and squid box process all those traffic.
my arch linux runs on a mini computer (size of a book) that runs on a dual core celeron with 8gb of ram and 500GB of HDD laptop size.

Offline

#2 2017-08-28 11:59:28

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,362

Re: Squid Network wide transparent proxy server issue

I don't think you need to do anything with the router.
You just need to use iptables to do the intercept. 
There are times where the intercept is not preferable, such as sites I don't need a proxy for, and https doesn't store much in the cache, and there's not much use in using proxy for https unless you want it to all appear to be coming from one box.

I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#3 2017-08-28 20:23:05

remlei
Member
Registered: 2017-08-28
Posts: 3

Re: Squid Network wide transparent proxy server issue

thats what I already did, and its still the same, I just put a intercept route in my router so all port 80 and 443 is passed to squid without configuring each computer to use squid.

plus if I dont want a site or ip address to pass through squid, I can just add another iptables for that in my router, no problems.

Offline

#4 2017-08-28 20:52:47

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Squid Network wide transparent proxy server issue

tcpdump, as usual, will help you to see what's happening with the traffic.

Did you also add an iptables rule to change the port *back* from e.g. port 3129 to port 80, for the traffic going back to the client? It is two-way traffic.

Offline

#5 2017-08-29 10:42:22

remlei
Member
Registered: 2017-08-28
Posts: 3

Re: Squid Network wide transparent proxy server issue

my iptables is fine, since as long as I use different proxy server (eg privoxy or a combination of squid+dansguardian) the transparent proxy works fine as usual, it just doesnt work well if I use it alone with squid only. thus the error "access denied" squid page shows up.

anyway here's the tcpdump, dunno if it has any meaningful way about it.

10:37:44.308681 IP 192.168.0.1.52438 > 192.168.0.2.3129: Flags [.], ack 1, win 256, length 0
10:37:44.324559 IP 192.168.0.1.52438 > 192.168.0.2.3129: Flags [P.], seq 1:435, ack 1, win 256, length 434
10:37:44.324641 IP 192.168.0.2.3129 > 192.168.0.1.52438: Flags [.], ack 435, win 237, length 0
10:37:44.475307 IP 192.168.0.1.52374 > 192.168.0.2.3129: Flags [F.], seq 94276830, ack 3919768216, win 256, length 0
10:37:44.475687 IP 192.168.0.2.3129 > 192.168.0.1.52374: Flags [F.], seq 1, ack 1, win 251, length 0
10:37:44.476535 IP 192.168.0.1.52374 > 192.168.0.2.3129: Flags [.], ack 1, win 256, length 0
10:37:44.477049 IP 192.168.0.1.52374 > 192.168.0.2.3129: Flags [.], ack 2, win 256, length 0
10:37:44.482592 IP 192.168.0.1.52439 > 192.168.0.2.3129: Flags [S], seq 576704031, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:37:44.482693 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [S.], seq 4147116923, ack 576704032, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
10:37:44.483462 IP 192.168.0.1.52439 > 192.168.0.2.3129: Flags [.], ack 1, win 256, length 0
10:37:44.497253 IP 192.168.0.1.52439 > 192.168.0.2.3129: Flags [P.], seq 1:721, ack 1, win 256, length 720
10:37:44.497323 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [.], ack 721, win 240, length 0
10:37:44.501985 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [P.], seq 1:481, ack 721, win 240, length 480
10:37:44.502150 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [.], seq 481:1941, ack 721, win 240, length 1460
10:37:44.502211 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [.], seq 1941:3401, ack 721, win 240, length 1460
10:37:44.502322 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [P.], seq 3401:4577, ack 721, win 240, length 1176
10:37:44.502477 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [P.], seq 4577:4772, ack 721, win 240, length 195
10:37:44.503182 IP 192.168.0.1.52439 > 192.168.0.2.3129: Flags [.], ack 481, win 254, length 0
10:37:44.503430 IP 192.168.0.1.52439 > 192.168.0.2.3129: Flags [.], ack 1941, win 256, length 0
10:37:44.503625 IP 192.168.0.1.52439 > 192.168.0.2.3129: Flags [.], ack 4772, win 256, length 0
10:37:44.606599 IP 192.168.0.2.3129 > 192.168.0.1.52438: Flags [P.], seq 1:483, ack 435, win 237, length 482
10:37:44.607083 IP 192.168.0.2.3129 > 192.168.0.1.52438: Flags [.], seq 483:1943, ack 435, win 237, length 1460
10:37:44.607162 IP 192.168.0.2.3129 > 192.168.0.1.52438: Flags [.], seq 1943:3403, ack 435, win 237, length 1460
10:37:44.607262 IP 192.168.0.2.3129 > 192.168.0.1.52438: Flags [P.], seq 3403:4399, ack 435, win 237, length 996
10:37:44.607740 IP 192.168.0.1.52438 > 192.168.0.2.3129: Flags [.], ack 483, win 254, length 0
10:37:44.608220 IP 192.168.0.1.52438 > 192.168.0.2.3129: Flags [.], ack 1943, win 256, length 0
10:37:44.608602 IP 192.168.0.1.52438 > 192.168.0.2.3129: Flags [.], ack 4399, win 256, length 0
10:37:44.611324 IP 192.168.0.1.52438 > 192.168.0.2.3129: Flags [F.], seq 435, ack 4399, win 256, length 0
10:37:44.611586 IP 192.168.0.2.3129 > 192.168.0.1.52438: Flags [F.], seq 4399, ack 436, win 237, length 0
10:37:44.612210 IP 192.168.0.1.52438 > 192.168.0.2.3129: Flags [.], ack 4399, win 256, length 0
10:37:44.612424 IP 192.168.0.1.52438 > 192.168.0.2.3129: Flags [.], ack 4400, win 256, length 0
10:37:44.927008 IP 192.168.0.1.52439 > 192.168.0.2.3129: Flags [P.], seq 721:1411, ack 4772, win 256, length 690
10:37:44.927891 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [.], seq 4772:6232, ack 1411, win 251, length 1460
10:37:44.927976 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [.], seq 6232:7692, ack 1411, win 251, length 1460
10:37:44.928034 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [P.], seq 7692:8997, ack 1411, win 251, length 1305
10:37:44.928135 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [.], seq 8997:10457, ack 1411, win 251, length 1460
10:37:44.928183 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [.], seq 10457:11917, ack 1411, win 251, length 1460
10:37:44.928235 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [P.], seq 11917:13093, ack 1411, win 251, length 1176
10:37:44.928354 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [.], seq 13093:14553, ack 1411, win 251, length 1460
10:37:44.928398 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [.], seq 14553:16013, ack 1411, win 251, length 1460
10:37:44.928457 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [P.], seq 16013:17189, ack 1411, win 251, length 1176
10:37:44.928574 IP 192.168.0.2.3129 > 192.168.0.1.52439: Flags [P.], seq 17189:17838, ack 1411, win 251, length 649
10:37:44.929884 IP 192.168.0.1.52439 > 192.168.0.2.3129: Flags [.], ack 6232, win 256, length 0
10:37:44.930005 IP 192.168.0.1.52439 > 192.168.0.2.3129: Flags [.], ack 7692, win 256, length 0
10:37:44.930115 IP 192.168.0.1.52439 > 192.168.0.2.3129: Flags [.], ack 10457, win 256, length 0
10:37:44.930430 IP 192.168.0.1.52439 > 192.168.0.2.3129: Flags [.], ack 11917, win 256, length 0
10:37:44.930581 IP 192.168.0.1.52439 > 192.168.0.2.3129: Flags [.], ack 14553, win 256, length 0
10:37:44.930661 IP 192.168.0.1.52439 > 192.168.0.2.3129: Flags [.], ack 16013, win 256, length 0
10:37:44.930765 IP 192.168.0.1.52439 > 192.168.0.2.3129: Flags [.], ack 17838, win 256, length 0

filtered the tcpdump to only capture traffic from 3129 and port 80 (my network is broadcasting media services eg DLNA) as usual no signs of port 80 traffic.

Last edited by remlei (2017-08-29 10:45:09)

Offline

Pages: 1

Board footer

Powered by FluxBB