[squid-users] Need help to solve problem with Squid 3.5.26 SSL Bump setting & iptables rules

Arsalan Hussain arsalan at preston.edu.pk
Wed Aug 16 08:42:08 UTC 2017


Dear Eliezer

i had created new iptables configuration and it works fine for an hour
(attached)

both transparent proxy and with setting proxy clients accessing internet
through squid

but after every hour the service gets crash or unstable. and need to
restart squid and iptables services to work

i found the following error in access.log when service gets disturb. I
don't know the reason and such traffic what it is about and how to resolve
it. when we restart server, the services again start fine and internet
works.

1502858587.658 114260 192.168.2.162 TAG_NONE/503 0 CONNECT
dc.services.visualstudio.com:443 - HIER_NONE/- -
1502858587.658 114260 192.168.2.162 TAG_NONE/503 0 CONNECT
dc.services.visualstudio.com:443 - HIER_NONE/- -
1502858587.658 114258 192.168.5.1 TAG_NONE/503 0 CONNECT
update.googleapis.com:443 - HIER_NONE/- -
1502858587.658 114252 192.168.2.125 TAG_NONE/503 0 CONNECT
update.googleapis.com:443 - HIER_NONE/- -
1502858587.658 114256 192.168.2.188 TAG_NONE/503 0 CONNECT
en.wikibooks.org:443 - HIER_NONE/- -
1502858587.658 114256 192.168.2.188 TAG_NONE/503 0 CONNECT
en.wikibooks.org:443 - HIER_NONE/- -
1502858587.658 114256 192.168.2.188 TAG_NONE/503 0 CONNECT
en.wikibooks.org:443 - HIER_NONE/- -
1502858587.658 114256 192.168.2.188 TAG_NONE/503 0 CONNECT
en.wikibooks.org:443 - HIER_NONE/-



On Tue, Aug 1, 2017 at 5:17 PM, Eliezer Croitoru <eliezer at ngtech.co.il>
wrote:

> Hey,
>
> The iptables rules doesn't make any sense:
> IPTABLES SETTING
>
> # Generated by iptables-save v1.4.7 on Mon Jul 31 05:43:29 2017
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [8330155:414444635]
> -A INPUT -i eth1 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
> -A INPUT -j DROP
> COMMIT
> # Completed on Mon Jul 31 05:43:29 2017
>
> There is no PREROUTING in the filter table...
> Take a peek at:
> http://wiki.squid-cache.org/ConfigExamples/Intercept/
> LinuxRedirect#iptables_configuration
>
> and also I suggest you to use intercept ports such as:
> 13128 (for http, port 80)
> 13129 ( for https, port 443)
>
> And not port 3130.
>
> Let me know if it helps with something.
>
> Eliezer
>
> ----
> http://ngtech.co.il/lmgtfy/
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
> Behalf Of Arsalan Hussain
> Sent: Tuesday, August 1, 2017 12:45
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] Need help to solve problem with Squid 3.5.26 SSL
> Bump setting & iptables rules
>
> Dear all,
> i have configured squid 3.5.26 SSL bump on CENTOS 6.2 to share internet
> and delay pools to control bandwidth (my configuration files attached)
>
> Problem what i facing and not understanding the issue.
>
> 1- clients who send request-  proxy setting working fine with this
> directive http_port 3128
>  -  Delay pools working fine, internet browsing to all clients using proxy
> is working.
>
> 2- When transparent proxy clients sent http request via iptables ...
> REDIRECT.
> http_port 3129 intercept
> OR
> When transparent proxy clients sent https request via iptables ...
> REDIRECT.
> https_port 3130 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.pem
> I observed the problem in both cases when client sent request through
> IPTABLES Squid service got failed. When i stop iptables and start squid
> then it start working.
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
>
> 3-  my objective to setup squid.
>      *  Internet sharing to Proxy setting configured clients.
>      *  Internet sharing to Proxy Transparent clients (Those request
> directed to server from ip route 0.0.0.0 0.0.0.0 Proxy-IP from CISCO
> Network for HTTP and HTTPS Requests without configuring proxy setting
> (coming from wireless).
>      *  delay pools for HTTP and HTTPS both browsing for proxy &
> transparent clients.
>
>
> Kindly if somebody help me to fix my problems and if share any setting
> which works. I had added ssl bump certificate because the service was
> crashing again and again without any reason after a few days or sometime on
> same day.
>
>
>
> --
> With Regards,
>
> Arsalan Hussain
> If you don't fight for what you want, don't cry for what you lose.
>
>


-- 
With Regards,


*Arsalan Hussain*
*Assistant Director, Networks & Information System*

*PRESTON UNIVERSITY*
Add: Plot: 85, Street No: 3, Sector H-8/1, Islamabad, Pakistan
Cell: +92-322-5018611
UAN: (51) 111-707-808 (Ext: 443)
*Don't expect to see a change if you don't make one.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170816/074e043f/attachment-0001.html>
-------------- next part --------------
# Generated by iptables-save v1.4.7 on Mon Apr 10 06:06:53 2017


*filter
:
INPUT DROP [0:0]
:
FORWARD ACCEPT [0:0]:
OUTPUT ACCEPT [0:0]:
-A INPUT -i lo -j ACCEPT 

-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A INPUT -i eth1 -j ACCEPT 


-A FORWARD -i eth1 -j ACCEPT 

-A OUTPUT -o lo -j ACCEPT 

-A OUTPUT -o eth1 -j ACCEPT 

COMMIT
# 

Completed on Mon Apr 10 06:06:53 2017
# 
Generated by iptables-save v1.4.7 on Mon Apr 10 06:06:53 2017

*nat
:
PREROUTING ACCEPT [96:4818]
:POSTROUTING ACCEPT [1:108]
:OUTPUT ACCEPT [1:108]

-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.4.12:3129 

-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A POSTROUTING -o eth0 -j MASQUERADE 

COMMIT


# Completed on Mon Apr 10 06:06:53 2017
# Generated by iptables-save v1.4.7 on Mon Apr 10 06:06:53 2017

*mangle
:PREROUTING ACCEPT 
[169:10596]

:INPUT ACCEPT [164:10396]
:
FORWARD ACCEPT [0:0]
:
OUTPUT ACCEPT [138:8328]
:
POSTROUTING ACCEPT [138:8328]
COMMIT
# Completed on Mon Apr 10 06:06:53 2017
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Iptables rule new.png
Type: image/png
Size: 28055 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170816/074e043f/attachment-0001.png>


More information about the squid-users mailing list