[squid-users] Capture incoming information from one squid
Marcelo
marcelorodrigo at graminsta.com.br
Fri Aug 19 23:20:56 UTC 2022
Thanks Alex,
1- Is it possible to provide me with an example of squid.conf of both parent
and child squids?
I am having very basic doubts about cache_peer and its very hard to find
complete squid.confs over the internet.
2- cache-peer really routes the connection to the second squid server or
just look for a hit in a second server's cache?
I need the second server to not just authenticate the user, but to know from
which port the user got in the first squid server in order to forward this
user through different routes based on this incoming port number.
I want to use the first squid, just as a dst.domain filter for it to decide
based on the dst.domain list, if the user will be forward to a local route,
or if this user are going to be sent to the second squid server, which,
based on the original incoming port, can decide through which
tcp_outgoing_address he will going out.
Thanks for all the helping.
Marcelo.
On 8/15/22 21:49, Marcelo wrote:
> How can I transfer connection information from one squid server to
another?
Use cache_peer login=PASSTHRU or login=PASS. Other login=... options may
also be of interest. See cache_peer documentation in your
squid.conf.documented for details and caveats.
HTH,
Alex.
> Example:
>
> An user connects to Squid One (Squid One IP 192.1.1.1) through port
> 4000 using usr/pw credentials.
>
> Squid One authenticates it via SQL DB. This part is already working fine.
>
> Squid One verifies if destination website is in dst domain list.
>
> If yes Squid One routes it to Route A. End of story.
>
> If no Squid One routes it to Squid Two.
>
> But Squid One must inform Squid Two who is the user and witch port he
> asked to connect.
>
> Why? Because Squid Two must use this info as if the user itself is
> connecting to Squid Two.
> Why, again? Because Squid Two will use this info to route this user to
> the correct route. This part is also done.
>
> My doubt is, is there a way to make Squid Two ?thinks? that user is
> connecting direct to Squid Two, so that, Squid Two can use user/port
> information to route this poor little guy.
>
> It?s a bit hard to explain it through email.
>
> Best Regards.
>
> Marcelo.
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
------------------------------
Message: 5
Date: Thu, 18 Aug 2022 05:08:35 +0200
From: M K <mohammed.khallaf at gmail.com>
To: Rafael Akchurin <rafael.akchurin at diladele.com>
Cc: "squid-users at lists.squid-cache.org"
<squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] Squid 4.8+ intercept
Message-ID:
<CAFMSmTvypP-Z+iiZiO=0CEB68d0sMn6f9FkmKNtsHxPg-EdfVw at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Hello Rafael,
Thank you for your reply. The key problem in my case is that I'm using a
complex NAT/Mangle setup, with too many decisions to be made. When I finally
succeeded, I was able to pin-point the glitch in my setup:
"Ensure NAT Rule is Applied to WAN Interface Only" in your excellent guide.
Since I'm unable to do that in my setup, I used a better and more safe
approach: just create a nat rule that will ACCEPT traffic from intercepted
clients with no further action, and place it well enough higher in the nat
rule-chain so it basically skips regular nat.
Thank you for the excellent guide.
All best,
K
On Tue, Aug 9, 2022 at 10:54 PM Rafael Akchurin
<rafael.akchurin at diladele.com> wrote:
>
> Hello K,
>
> We use
> https://docs.diladele.com/tutorials/mikrotik_transparent_squid/index.h
> tml
>
> Best regards,
> Rafael
>
> Op 9 aug. 2022 om 21:29 heeft M K <mohammed.khallaf at gmail.com> het
volgende geschreven:
>
> ?
> Hello,
>
> I have a setup like this one:
>
> | Client | =====> | Router | =====> Internet
> ||
> \/
> | Squid |
>
> ...the router is a Mikrotik router capable of all things NAT/Redirect and
whatnot. Squid server has only one network interface.
> Using the router:
> - I tried routing traffic to squid server IP.
> - I tried destination-NATing from client to server IP, with origin server
IP-and-port natted to squid IP-and-port, and with origin server IP-only
natted to squid-IP.
>
> I have been struggling for 2 days to setup a working Squid 4.8 or higher
interception.
> Test server is running Ubuntu 18.4.3 and Squid 4.8.
> Documentation is either too much trim or extremely outdated.
> Any help would be very much appreciated.
>
> All best,
> K
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
------------------------------
Message: 6
Date: Thu, 18 Aug 2022 05:20:09 +0200
From: M K <mohammed.khallaf at gmail.com>
To: ngtech1ltd at gmail.com
Cc: squid-users at lists.squid-cache.org, Rafael Akchurin
<rafael.akchurin at diladele.com>
Subject: Re: [squid-users] Squid 4.8+ intercept
Message-ID:
<CAFMSmTua4_eQ4iyY-zwCSkqYk+E1Rjd0CtzvxYi7vP_ty=pQAg at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Hello Eliezer,
I finally got my setup to work; turned out to be intercepted clients running
into default nat, while my test squid server did not allow them access, not
even through iptables!
Now, I have one last bit to handle, which you did not cover in your video.
I'm using 3 ports for squid like Rafael's guide: one for normal CONNECT, one
for intercepted plain HTTP on 80, and one for intercepted HTTPs on 443.
The setup works awesome for TLS addresses (i.e https://), but browser
redirection from Plain to TLS, say from http://cnn.com to https://cnn.com,
fails to happen. It just waits then time out.
What could be done to make it happen?
All best,
K
On Sat, Aug 13, 2022 at 7:57 PM <ngtech1ltd at gmail.com> wrote:
>
> Hey K,
>
>
>
> What RouterOS version are you using?
>
> Also, what rules have you applied?
>
> If there is a very long delay and then a failure you should verify that
the rules you wrote are proper to your environment.
>
> You should route packets based on connection marks and mark only new
connections from LAN IP addresses and only on the LAN interface.
>
> As I showed in the demo video it?s very simple to implement.
>
>
>
> Let me know if you are still having issues.
>
>
>
> Eliezer
>
>
>
> ----
>
> Eliezer Croitoru
>
> NgTech, Tech Support
>
> Mobile: +972-5-28704261
>
> Email: ngtech1ltd at gmail.com
>
> Web: https://ngtech.co.il/
>
> My-Tube: https://tube.ngtech.co.il/
>
>
>
> From: M K <mohammed.khallaf at gmail.com>
> Sent: Saturday, 13 August 2022 10:59
> To: ngtech1ltd at gmail.com
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Squid 4.8+ intercept
>
>
>
> Thank you for your quick reply. The text-drawing actually changed with
different font; the squid server is effectively connected to MikroTik
router, not the same physical link as the client.
>
>
>
> The MikroTik router sits between the client and squid server.
>
>
>
> That said, I can confirm that the MikroTik router is effectively able to
route/DNat client packets going to ports 80 and 443 to squid server.
Depending on router rules be it route or dnat, the client browser
effectively displays the error page of squid, or goes into a very long delay
then failure.
>
>
>
> I will retry and let you know.
>
>
>
> K
>
> On Wed, Aug 10, 2022, 10:08 <ngtech1ltd at gmail.com> wrote:
>
> Hey K,
>
>
>
> I am not sure about the network topology.
>
> Preferably the Squid should reside on another network then the clients if
it?s intercepting the traffic.
>
> Also, I assume it?s not a TPROXY setup so it should be pretty simple and
straight forward.
>
>
>
> I understand why are you asking this question.
>
> Also take into account that Mikrotik is now on 7.4 firmware and it?s
recommended to use this one.
>
> If you are using any other version let me know so I can try to make sense
on the differences.
>
> I will try to give a DEMO for such a setup and how to make it work.
>
>
>
> Eliezer
>
>
>
> ----
>
> Eliezer Croitoru
>
> NgTech, Tech Support
>
> Mobile: +972-5-28704261
>
> Email: ngtech1ltd at gmail.com
>
> Web: https://ngtech.co.il/
>
> My-Tube: https://tube.ngtech.co.il/
>
>
>
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On
> Behalf Of M K
> Sent: Tuesday, 9 August 2022 22:29
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] Squid 4.8+ intercept
>
>
>
> Hello,
>
>
>
> I have a setup like this one:
>
>
> | Client | =====> | Router | =====> Internet
> ||
> \/
> | Squid |
>
>
>
> ...the router is a Mikrotik router capable of all things NAT/Redirect and
whatnot. Squid server has only one network interface.
>
> Using the router:
>
> - I tried routing traffic to squid server IP.
>
> - I tried destination-NATing from client to server IP, with origin server
IP-and-port natted to squid IP-and-port, and with origin server IP-only
natted to squid-IP.
>
>
>
> I have been struggling for 2 days to setup a working Squid 4.8 or higher
interception.
>
> Test server is running Ubuntu 18.4.3 and Squid 4.8.
>
> Documentation is either too much trim or extremely outdated.
>
> Any help would be very much appreciated.
>
>
>
> All best,
>
> K
------------------------------
Subject: Digest Footer
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
------------------------------
End of squid-users Digest, Vol 96, Issue 35
*******************************************
More information about the squid-users
mailing list