[squid-users] IPv6 and TPROXY

Walter H. Walter.H at mathemainzel.info
Mon Aug 21 18:23:25 UTC 2017 

I got it working partially, some servers (URLs) worked, others not ...
the not working host resultet in 503 ...

as I don't have any knowledge where to look, I give up

it would have been great, if it had worked

@Amos: your question about firewall rules gave me a hint, but
I can't say why only a few servers (URLs) worked ...

Walter


On 20.08.2017 02:08, Eliezer Croitoru wrote:
> You can use tproxy but you will need to somehow make it so squid will do "NAT" instead of only tproxy or to findout what is causing the issue to happen in the network layer of the connection.
> It can be a simple iptables rule which block traffic or another issue like rp_filter.
> If you are up to it I will be willing to try and setup a more advanced ipv6 setup that might help to inspect the issue.
>
> In the mean while I am missing one piece which maybe Amos can help with:
> Is it possible to use tproxy for interception but force a non tproxy connection on the outgoing traffic?
> I wrote such a proxy myself and I believe that there might be another solution to if nothing else would be found.
>
> The other idea would be:
> Use haproxy infront of the squid proxy to intercept traffic in the tcp level and pass to squid somehow the request via a proxy protocol enabled port.
> I have used it in the past and it should be fine for port 80 but for 443 it's a whole other thing.
>
> All The Bests,
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
>
> -----Original Message-----
> From: Walter H. [mailto:Walter.H at mathemainzel.info]
> Sent: Saturday, August 19, 2017 23:23
> To: Eliezer Croitoru<eliezer at ngtech.co.il>
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] IPv6 and TPROXY
>
> Hello,
>
> not really, I must live with the fact, that I can't configure tproxy, as
> I can't update any kernel ...
>
> Walter
>
> On 19.08.2017 22:09, Eliezer Croitoru wrote:
>> Any progress with the issue?
>>
>> Eliezer
>>
>> ----
>> Eliezer Croitoru
>> Linux System Administrator
>> Mobile: +972-5-28704261
>> Email: eliezer at ngtech.co.il
>>
>>
>>
>> -----Original Message-----
>> From: Walter H. [mailto:Walter.H at mathemainzel.info]
>> Sent: Sunday, August 13, 2017 21:31
>> To: Eliezer Croitoru<eliezer at ngtech.co.il>
>> Cc: squid-users at lists.squid-cache.org
>> Subject: Re: [squid-users] IPv6 and TPROXY
>>
>> Hello Eliezer
>>
>> yes, because all my Linux systems are CentOS 6 ...
>>
>> the router/firewall has a rule
>>
>> -A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
>> -j LOG --log-prefix "IPv6[FWD-HTTP(out)]: " --log-level 7
>> -A FORWARD -i br0 -o sit1 -s ipv6prefix:0::/80 -m tcp -p tcp --dport 80
>> -j REJECT
>>
>> any windows host inside this ipv6prefix has configured a proxy, but for
>> some reason e.g. there is HTTP traffic of CRLs or OCSP
>> that doesn't go through to the configured proxy, and is blocked ...
>> for this I need this TPROXY ...
>> (only IPv6 needs to be solved, IPv4 already runs perfekt)
>>
>> Thanks,
>> Walter
>>
>>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3491 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170821/534d36b4/attachment.bin>

More information about the squid-users mailing list