[squid-users] Connect strongSwan and Squid on same server

Amos Jeffries squid3 at treenet.co.nz
Thu Jan 19 09:29:09 UTC 2017 

On 19/01/2017 8:00 p.m., Varun Singh wrote:
> Hi,
> I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
> 16.04 server and I am trying to connect both. By connect I mean, I am
> trying to achieve following:
> 
> [VPN Client] <------> [VPN Server] <-> [Squid] <------> [Internet]
> 
> My objective is to connect a VPN client to VPN server and use Squid
> for filtering out blocked Urls. strongSwan and Squid work fine on
> their own. I can access internet when connected to VPN server and also
> when configured HTTP Proxy without VPN.
> 

Is the VPN acting as an interface on the client machine through which
trafffic is gatewayed?
 or as a transparent tunnel to the proxy?


> From what I understand, to achieve what I want, I am supposed to
> redirect incoming HTTP traffic from port 80 to port using IPTables. I
> enter following IPTables rule:
> 
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
> 

What are the squid.conf ports configured as?

> Once I do this and try to access internet from a connected VPN client,
> I get error. Pasting a log of /var/log/squid/access.log
> 
> 

These are explicit-proxy requests (port 3128 syntax):

> 1484738365.632      0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
> api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
> 1484738365.642      0 114.143.194.190 TCP_DENIED/403 4870 GET
> http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
> - HIER_NONE/- text/html
> 1484738365.643      0 114.143.194.190 TCP_DENIED/403 4852 GET
> http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
> - HIER_NONE/- text/html
> 1484738365.731      0 114.143.194.190 TCP_DENIED/403 4753 GET
> http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
> 1484738365.760      0 114.143.194.190 TCP_DENIED/403 4817 GET
> http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
> - HIER_NONE/- text/html
> 1484738367.798      0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
> init.itunes.apple.com:443 - HIER_NONE/- text/html
> 1484738367.922      0 114.143.194.190 TCP_DENIED/403 4334 GET
> http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
> HIER_NONE/- text/html
> 1484738367.963      0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
> gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
> 1484738368.036      0 114.143.194.190 TCP_DENIED/403 4298 GET
> http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
> text/html
<snip>


What you are expected by to do on Debian and Ubuntu installs is setup
the "localnet" ACL to be apropriate for your LAN. It is commented out by
default.
 Search squid.conf for "#http_access allow localnet" and "#acl localnet"

When that is done the above should work. No NAT needed.


These are origin requests (port 80 syntax):

> 1484738858.272      0 10.99.1.1 TAG_NONE/400 4154 GET
> /assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
> - HIER_NONE/- text/html
> 1484738858.990      0 10.99.1.1 TAG_NONE/400 4004 GET
> /us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
> 1484738860.362      0 10.99.1.1 TAG_NONE/400 5350 GET
> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1&ndh=1&t=18%2F0%2F2017%2016%3A57%3A40%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=4&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
> - HIER_NONE/- text/html
> 1484739056.258      0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
> 1484739056.480      0 10.99.1.1 TCP_DENIED/403 4290 GET
> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
> HIER_NONE/- text/html
> 1484739057.106      0 10.99.1.1 TAG_NONE/400 3994 GET
> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
<snip>

Notice how both those sets of requests are reaching your proxy properly.
The VPN is still working just fine.

> 
> 
> My /etc/squid/squid.conf file has only one change and that is:
> http_access allow all
> 

Where? order and position is important.


You have not added the squid.conf line required for Squid to receive the
iptables packets from NAT.
  <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>

Amos

More information about the squid-users mailing list