[squid-users] Squid tproxy net unreachable

Abi Askushi rightkicktech at gmail.com
Tue May 16 13:53:05 UTC 2017 

Thank you Amos.

I have the following at squidguard:

    default {
        pass     !porn !adv !drugs !custom any
        redirect http://localhost:10080/error.php
    }

Which when squid in intercept mode the user is "redirected" to error page.
I'm not sure if squidguard is rewriting or redirecting.
With squid in tproxy mode the user gets the squid error page "The Requested
URL cannot be retrieved: network unreachable 101 ... "

I did replace this squid error page with my custom and it can be displayed
to user, though this means that I will not be able to discern connections
errors from deny errors.
I would prefer not to do this dirty trick and have a more clean approach.
Attempts to resolve it through routing table hacks were not successful
also.






On Sun, May 14, 2017 at 3:16 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 14/05/17 01:59, Abi Askushi wrote:
>
>> Hi,
>>
>> I have setup squid (v 3.1.20) with tproxy and relevant iptables and
>> policy routes. It is functioning ok except one thing, squid is not able to
>> redirect to deny page (located on same device) and it gives error "101
>> network unreachable". I have squidguard in the setup as a helper program
>> and squidguard is doing the redirection to a page on localhost. With squid
>> in intercept mode this redirection to deny page is ok. I have also disabled
>> rpfilter in kernel. I may provide more details on configs if needed.
>>
>> Did anyone encounter this? Any ideas?
>>
>>
> It is not possible to use a global IP address (eg the spoofed client IP)
> to connect to any machines lo (localhost) interface.
>
> So Squid is not able to perform TPROXY spoofing to fetch the page your SG
> is *re-writing* (not redirecting) the URL to. If you actually are
> redirecting then the client cannot connect to the web server running in
> *its* localhost interface.
>
>
> PS. please upgrade, no up to date OS releases I'm aware of still ship
> Squid-3.1.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170516/0b627a9b/attachment.html>

More information about the squid-users mailing list