[squid-users] intercept vs. accel vhost allow-direct
sknz
sakibnizam at gmail.com
Fri Sep 13 08:12:39 UTC 2019
Hello Amos,
For clarification, I'm running an AP-Hotspot server(coovachilli, freeradius,
squid, etc.) with two NIC(eth0 and eth1). eth0 is for WAN(internet) and eth1
is for managing LAN(APs). Coovachilli is created tun0 under the eth1
interface. I'm using squid-3.4.8 as an HTTP transparent proxy.
# Hardware Setup Diagram <https://i.stack.imgur.com/sKF9e.png>
# ifconfig:
eth0 Link encap:Ethernet HWaddr d8:cb:8a:53:b5:ff
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0
RX bytes:145897 (142.4 KiB) TX bytes:86949 (84.9 KiB)
eth1 Link encap:Ethernet HWaddr 00:e0:4c:53:44:58
inet6 addr: fe80::2e0:4cff:fe53:4458/64 Scope:Link
RX bytes:178346 (174.1 KiB) TX bytes:366000 (357.4 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
RX bytes:15724 (15.3 KiB) TX bytes:15724 (15.3 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00
inet addr:10.1.0.1 P-t-P:10.1.0.1 Mask:255.255.255.0
RX bytes:111251 (108.6 KiB) TX bytes:347971 (339.8 KiB)
# This is my updated squid.conf as your suggestion, 3129 for forward-proxy
and 3130 for intercepting HTTP:
http_port 3129
http_port 3130 intercept
# Squid is listening on expected ports; netstat -tunlp:
tcp6 0 0 :::3129 :::* LISTEN 1754/(squid-1)
tcp6 0 0 :::3130 :::* LISTEN 1754/(squid-1)
udp6 0 0 :::41845 :::* 1754/(squid-1)
#Squid is not throwing any error; tail -4 /etc/squid3/cache.log:
Accepting HTTP Socket connections at local=[::]:3129 remote=[::] FD 11
flags=9
Accepting NAT intercepted HTTP Socket connections at local=[::]:3130
remote=[::] FD 12 flags=41
ICMP socket opened.
storeLateRelease: released 0 objects
# No response, if I do SquidClient under SSH to server; squidclient -p 3129
http://www.example.com
Sending HTTP request ... done.
I've tried removing all "-i" options and updating mangle rules as your
suggestion from iptables; no effects on it. I've opened intercept port also.
This is my original iptables with adjusted rules:
#nat
-A PREROUTING -s 10.1.0.0/24 ! -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport
80 -j REDIRECT --to-ports 3130 #redirect http to squid intercept port
-A POSTROUTING -o eth0 -j MASQUERADE
#mangle
-A PREROUTING -s 10.1.0.0/24 -d 10.1.0.1/32 -p tcp -m tcp --dport 3130 -j
DROP #drop direct attempts to proxy intercept port
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
#filters
-A INPUT -i eth1 -j DROP
-A INPUT -d 10.1.0.1/32 -i tun0 -p icmp -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 255.255.255.255/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3130 -j ACCEPT
#squid intercept
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3129 -j ACCEPT
#squid forward
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT
#chilli controller
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 2812 -j ACCEPT #
freeradius
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 443 -j ACCEPT #
https
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT #http
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 4990 -j ACCEPT
#hotspot UAM
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -j DROP
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i tun0 ! -o eth0 -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
-A FORWARD -o tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o eth1 -j DROP
-A FORWARD -i eth1 -j DROP
So from here, all I can do HTTPS connection, no HTTP connection allowed from
AP side.
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
More information about the squid-users
mailing list