[squid-users] TPROXY Error

Ben Goz ben.goz87 at gmail.com
Mon Jul 5 11:31:09 UTC 2021


By the help of God.

Someone have an idea what's wrong with my configuration?

On 30/06/2021 15:55, Ben Goz wrote:
>
> On 30/06/2021 15:25, Antony Stone wrote:
>> On Wednesday 30 June 2021 at 14:16:09, Ben Goz wrote:
>>
>>> I'm trying to configure squid as a transparent proxy using TPROXY.
>>> The machine I'm using has 2 NICs, one for input and the other one for
>>> output traffic.
>>> The TPROXY iptables rules are configured on the input NIC.
>> 1. Which version of Squid are you using?
> # ./squid -v
> Squid Cache: Version 4.15
> Service Name: squid
>
> This binary uses OpenSSL 1.1.1f  31 Mar 2020. For legal restrictions 
> on distribution see https://www.openssl.org/source/license.html
>
> configure options:  '--with-openssl' '--enable-ssl-crtd' 
> '--enable-ecap' '--enable-linux-netfilter' --enable-ltdl-convenience
>
>>
>> 2. Please show us the TPROXY rules you have.
>
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables -t mangle -A PREROUTING -i bond0.213 -p tcp --dport 80 -j 
> TPROXY --tproxy-mark 0x1/0x1 --on-port 15644
> iptables -t mangle -A PREROUTING -i bond0.213 -p tcp --dport 443 -j 
> TPROXY --tproxy-mark 0x1/0x1 --on-port 15645
>
>
> including:
>
> ip rule add fwmark 1 lookup 100
> ip -f inet route add local default dev lo table 100
>
>>
>> 3. Please show us the relevant lines for intercept proxying from your
>> squid.conf
>
>
> http_port 15644 tproxy
> https_port 15645 ssl-bump tproxy generate-host-certificates=on 
> options=ALL dynamic_cert_mem_cache_size=4MB 
> cert=/usr/local/squid/etc/ssl_cert/myCA.pem 
> dhparams=/usr/local/squid/etc/dhparam.pem
> always_direct allow all
>
>
>
>>
>>
>> Regards,
>>
>>
>> Antony.
>>


More information about the squid-users mailing list