[squid-users] Connect strongSwan and Squid on same server

Varun Singh varun.singh at gslab.com
Thu Jan 19 10:13:27 UTC 2017 

On Thu, Jan 19, 2017 at 2:59 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 19/01/2017 8:00 p.m., Varun Singh wrote:
>> Hi,
>> I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
>> 16.04 server and I am trying to connect both. By connect I mean, I am
>> trying to achieve following:
>>
>> [VPN Client] <------> [VPN Server] <-> [Squid] <------> [Internet]
>>
>> My objective is to connect a VPN client to VPN server and use Squid
>> for filtering out blocked Urls. strongSwan and Squid work fine on
>> their own. I can access internet when connected to VPN server and also
>> when configured HTTP Proxy without VPN.
>>
>
> Is the VPN acting as an interface on the client machine through which
> trafffic is gatewayed?
>  or as a transparent tunnel to the proxy?
>
>
>> From what I understand, to achieve what I want, I am supposed to
>> redirect incoming HTTP traffic from port 80 to port using IPTables. I
>> enter following IPTables rule:
>>
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>> --to-port 3128
>>
>
> What are the squid.conf ports configured as?
>
>> Once I do this and try to access internet from a connected VPN client,
>> I get error. Pasting a log of /var/log/squid/access.log
>>
>>
>
> These are explicit-proxy requests (port 3128 syntax):
>
>> 1484738365.632      0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
>> api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
>> 1484738365.642      0 114.143.194.190 TCP_DENIED/403 4870 GET
>> http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
>> - HIER_NONE/- text/html
>> 1484738365.643      0 114.143.194.190 TCP_DENIED/403 4852 GET
>> http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
>> - HIER_NONE/- text/html
>> 1484738365.731      0 114.143.194.190 TCP_DENIED/403 4753 GET
>> http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
>> 1484738365.760      0 114.143.194.190 TCP_DENIED/403 4817 GET
>> http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
>> - HIER_NONE/- text/html
>> 1484738367.798      0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
>> init.itunes.apple.com:443 - HIER_NONE/- text/html
>> 1484738367.922      0 114.143.194.190 TCP_DENIED/403 4334 GET
>> http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
>> HIER_NONE/- text/html
>> 1484738367.963      0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
>> gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
>> 1484738368.036      0 114.143.194.190 TCP_DENIED/403 4298 GET
>> http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
>> text/html
> <snip>
>
>
> What you are expected by to do on Debian and Ubuntu installs is setup
> the "localnet" ACL to be apropriate for your LAN. It is commented out by
> default.
>  Search squid.conf for "#http_access allow localnet" and "#acl localnet"
>
> When that is done the above should work. No NAT needed.
>
>
> These are origin requests (port 80 syntax):
>
>> 1484738858.272      0 10.99.1.1 TAG_NONE/400 4154 GET
>> /assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
>> - HIER_NONE/- text/html
>> 1484738858.990      0 10.99.1.1 TAG_NONE/400 4004 GET
>> /us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
>> 1484738860.362      0 10.99.1.1 TAG_NONE/400 5350 GET
>> /b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1&ndh=1&t=18%2F0%2F2017%2016%3A57%3A40%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=4&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
>> - HIER_NONE/- text/html
>> 1484739056.258      0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
>> 1484739056.480      0 10.99.1.1 TCP_DENIED/403 4290 GET
>> http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
>> HIER_NONE/- text/html
>> 1484739057.106      0 10.99.1.1 TAG_NONE/400 3994 GET
>> /apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
> <snip>
>
> Notice how both those sets of requests are reaching your proxy properly.
> The VPN is still working just fine.
>
>>
>>
>> My /etc/squid/squid.conf file has only one change and that is:
>> http_access allow all
>>
>
> Where? order and position is important.
>
>
> You have not added the squid.conf line required for Squid to receive the
> iptables packets from NAT.
>   <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


Thanks. Doing the following solved the problem:
"You have not added the squid.conf line required for Squid to receive the
> iptables packets from NAT."

I think that is why Squid was not able to infer the packets received
on port 3128.

-- 
Regards,
Varun

More information about the squid-users mailing list