[squid-users] squid tproxy

Amos Jeffries squid3 at treenet.co.nz
Sun Aug 30 00:52:49 UTC 2015 

On 29/08/2015 5:27 a.m., Vieri wrote:
> Hi,
> 
> 
> [reposting a trimmed-down message]
> 

> My goal is to allow lan users to access a greater number of sites if
they explicitly configure the squid proxy server in their browsers and
authenticate. If they don't then traffic to port 80 and 443 will be
transparently redirected to a squid proxy server by the corporate
firewall (in my case, firewall and squid are on the same machine).
> 
> Since I noticed that I cannot REQUIRE proxy_auth and create an
additional http_port for tproxy without authentication, I merely created
two instances of squid.

Yes you cannot require authn from an ACL test that gets checked on
intercepted traffic.

Jumping to the conclusion that you needed two proxies was extreme.

This would do it:

 http_port 3128
 http_port 3129 tproxy

 acl login proxy_auth REQUIRED
 acl explicit myportname 3128
 acl interceted myportname 3129

 http_access deny explicit !login
 http_access deny intercepted !localnet

Your regular rules then follow.

But if there is anything like a group check of external ACL with %LOGIN
place the 'explicit' ACL as the first one on the line, like the login
above. You will then have to figure out what (if anything) to do with
the intercepted traffic to check the same thing(s).


> 
> The first instance requires authentication and listens on port 3128.
All works fine when setting up the proxy address and port 3128 (or via
wpad.dat) on the client.
> 
> The second instance does not require authentication and listens on
port 3129 in tproxy mode and on port 3130 in forward proxy mode.
> 
> The firewall on the same machine as squid (iptables) redirects port
> 80
to 3129
> 
> I tried connecting from a Firefox client browser (lan IP addr.
10.215.144.48) without proxy manually configured to internet host
89.16.167.134:80.
> 
> The second squid proxy instance handles the connection but fails
> with
a connection timeout (see log below).

> squid.tproxy.conf (of second instance):
> 
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 901 # SWAT
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> include /etc/squid/squid.custom.rules.tproxy
> http_access allow localhost
> http_access deny all
> coredump_dir /var/cache/squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> pid_filename /run/squid.tproxy.pid
> cache_dir ufs /var/cache/squid.tproxy 100 16 256
> 
> squid.custom.rules.tproxy:
> 
> access_log daemon:/var/log/squid/access.tproxy.log squid
> cache_log /var/log/squid/cache.tproxy.log
> http_access allow all
> email_err_data on
> error_directory /usr/share/squid/errors/HMAN
> debug_options rotate=1 ALL,5
> append_domain .mydomain.org
> http_port 3130
> http_port 3129 tproxy
> dns_v4_first on
> 
> squid 3.5.6
> kernel 4.1.4
> 
> CONFIG_NETFILTER_XT_TARGET_TPROXY=m
> CONFIG_NETFILTER_XT_MATCH_SOCKET=m
> CONFIG_NF_CONNTRACK=m
> 
> lsmod shows xt_TPROXY, nf_conntrack, xt_socket
> 
> Here's the log (connecting from client browser at 10.215.144.48 to internet host at 89.16.167.134):
> 
> http://pastebin.com/W2e8csZT
> 
> What is causing the timeout?

TCP SYN+ACK packet never gets back to Squid on the server connection.

> 
> Is there something wrong with my squid configuration or should I look elsewhere?
> 

The Squid operation seems to be perfectly fine.


The above SYN+ACK packet disappearance is a common sign that you have
triangular routing going on. Where the server response gets sent
straight to the client not to Squid.

You dont mention what routing or iptables configuration you have. It
could be there on the same machine, or it could be any of the network
routers elsewhere the traffic is going over.

Amos

More information about the squid-users mailing list