[squid-users] IPv6 and TPROXY
Eliezer Croitoru
eliezer at ngtech.co.il
Sun Aug 20 00:08:02 UTC 2017
You can use tproxy but you will need to somehow make it so squid will do "NAT" instead of only tproxy or to findout what is causing the issue to happen in the network layer of the connection.
It can be a simple iptables rule which block traffic or another issue like rp_filter.
If you are up to it I will be willing to try and setup a more advanced ipv6 setup that might help to inspect the issue.
In the mean while I am missing one piece which maybe Amos can help with:
Is it possible to use tproxy for interception but force a non tproxy connection on the outgoing traffic?
I wrote such a proxy myself and I believe that there might be another solution to if nothing else would be found.
The other idea would be:
Use haproxy infront of the squid proxy to intercept traffic in the tcp level and pass to squid somehow the request via a proxy protocol enabled port.
I have used it in the past and it should be fine for port 80 but for 443 it's a whole other thing.
All The Bests,
Eliezer
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
-----Original Message-----
From: Walter H. [mailto:Walter.H at mathemainzel.info]
Sent: Saturday, August 19, 2017 23:23
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] IPv6 and TPROXY
Hello,
not really, I must live with the fact, that I can't configure tproxy, as
I can't update any kernel ...
Walter
On 19.08.2017 22:09, Eliezer Croitoru wrote:
> Any progress with the issue?
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:Walter.H at mathemainzel.info]
> Sent: Sunday, August 13, 2017 21:31
> To: Eliezer Croitoru<eliezer at ngtech.co.il>
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] IPv6 and TPROXY
>
> Hello Eliezer
>
> yes, because all my Linux systems are CentOS 6 ...
>
> the router/firewall has a rule
>
> -A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
> -j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7
> -A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
> -j REJECT
>
> any windows host inside this ipv6prefix has configured a proxy, but for
> some reason e.g. there is HTTP traffic of CRLs or OCSP
> that doesn't go through to the configured proxy, and is blocked ...
> for this I need this TPROXY ...
> (only IPv6 needs to be solved, IPv4 already runs perfekt)
>
> Thanks,
> Walter
>
>
More information about the squid-users
mailing list