[squid-users] tcp_outgoing_address directive ignored, data goes out on default gateway
N
jointdogg at gmail.com
Sat Nov 26 10:49:34 UTC 2022
Hi,
I'm trying to use tcp_outgoing_address to forward traffic from specific
users to a specific interface.
running squid 5.7 (on openwrt).
have a few interfaces on my machine, two of which are VPN interfaces with
IPs (internal) 10.200.0.70 and 10.102.237.50.
trying to forward user "uk" to the interface with IP 10.200.0.70 is
"ignored" - I can see that the default WAN interface is used. I see it by
using a simple "what is my ip" test when using the proxy, and checking the
traffic of the interfaces when sending requests.
the relevant excerpt from the squid conf:
acl auth_users proxy_auth REQUIRED
acl wg_uk proxy_auth uk
tcp_outgoing_address 10.200.0.70 wg_uk
I can see that the IP and config are not wrong because the requests don't
get 503 errors (if I change the IP to a non existing one, e.g. 10.200.0.71
I do get 503 errors).
small excerpt from the squid_cache.log (proxy server is 192.168.1.1, proxy
client is 192.168.1.149)
2022/11/26 11:28:48.286| 17,3| FwdState.cc(394) Start: '
http://detectportal.firefox.com/canonical.html'
2022/11/26 11:28:48.286| 17,2| FwdState.cc(157) FwdState: Forwarding client
request conn157 local=192.168.1.1:3128 remote=192.168.1.149:64723 FD 13
flags=1, url=http://detectportal.firefox.com/canonical.html
2022/11/26 11:28:48.287| 44,2| peer_select.cc(460) resolveSelected: Find IP
destination for: http://detectportal.firefox.com/canonical.html' via
detectportal.firefox.com
2022/11/26 11:28:48.287| 14,4| ipcache.cc(607) nbgethostbyname:
detectportal.firefox.com
2022/11/26 11:28:48.287| 14,3| Address.cc(389) lookupHostIP: Given Non-IP '
detectportal.firefox.com': Name does not resolve
2022/11/26 11:28:48.287| 14,4| ipcache.cc(647) ipcache_nbgethostbyname_:
ipcache_nbgethostbyname: HIT for 'detectportal.firefox.com'
2022/11/26 11:28:48.287| 14,7| ipcache.cc(250) forwardIp: 34.107.221.82
2022/11/26 11:28:48.287| 28,3| Checklist.cc(70) preCheck: 0x7ffd71e3d440
checking fast ACLs
2022/11/26 11:28:48.287| 28,5| Acl.cc(124) matches: checking
tcp_outgoing_address 10.200.0.70
2022/11/26 11:28:48.287| 28,5| Acl.cc(124) matches: checking
(tcp_outgoing_address 10.200.0.70 line)
2022/11/26 11:28:48.287| 28,5| Acl.cc(124) matches: checking wg_uk
2022/11/26 11:28:48.287| 29,5| UserRequest.cc(75) valid: Validated.
Auth::UserRequest '0x1bad2e0'.
2022/11/26 11:28:48.287| 28,4| Acl.cc(346) cacheMatchAcl:
ACL::cacheMatchAcl: cache hit on acl 'wg_uk' (0x1551ca0)
2022/11/26 11:28:48.287| 28,3| Acl.cc(151) matches: checked: wg_uk = 1
2022/11/26 11:28:48.287| 28,3| Acl.cc(151) matches: checked:
(tcp_outgoing_address 10.200.0.70 line) = 1
2022/11/26 11:28:48.287| 28,3| Acl.cc(151) matches: checked:
tcp_outgoing_address 10.200.0.70 = 1
2022/11/26 11:28:48.287| 28,3| Checklist.cc(63) markFinished:
0x7ffd71e3d440 answer ALLOWED for match
2022/11/26 11:28:48.287| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0x7ffd71e3d440
2022/11/26 11:28:48.287| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x7ffd71e3d440
2022/11/26 11:28:48.287| 24,7| SBuf.cc(209) append: from c-string to id
SBuf10501
2022/11/26 11:28:48.287| 24,7| SBuf.cc(160) rawSpace: reserving 46 for
SBuf10501
2022/11/26 11:28:48.287| 24,7| SBuf.cc(866) reAlloc: SBuf10501 new store
capacity: 128
2022/11/26 11:28:48.287| 44,2| peer_select.cc(1171) handlePath:
PeerSelector27 found conn167 local=10.200.0.70 remote=34.107.221.82:80
HIER_DIRECT flags=1, destination #1 for
http://detectportal.firefox.com/canonical.html
2022/11/26 11:28:48.288| 44,2| peer_select.cc(1177) handlePath:
always_direct = DENIED
2022/11/26 11:28:48.288| 44,2| peer_select.cc(1178) handlePath:
never_direct = DENIED
2022/11/26 11:28:48.288| 44,2| peer_select.cc(1179) handlePath:
timedout = 0
2022/11/26 11:28:48.288| 44,7| peer_select.cc(1149) interestedInitiator:
PeerSelector27
2022/11/26 11:28:48.288| 17,3| FwdState.cc(631) noteDestination: conn167
local=10.200.0.70 remote=34.107.221.82:80 HIER_DIRECT flags=1
2022/11/26 11:28:48.288| 17,3| FwdState.cc(1135) connectStart: 1+ paths to
http://detectportal.firefox.com/canonical.html
2022/11/26 11:28:48.288| 11,7| HttpRequest.cc(468) clearError: old: ERR_NONE
2022/11/26 11:28:48.288| 17,5| AsyncCall.cc(30) AsyncCall: The AsyncCall
FwdState::noteConnection constructed, this=0x1b97100 [call1887]
2022/11/26 11:28:48.288| 93,5| AsyncJob.cc(34) AsyncJob: AsyncJob
constructed, this=0x1b86e18 type=HappyConnOpener [job99]
2022/11/26 11:28:48.288| 93,5| AsyncCall.cc(30) AsyncCall: The AsyncCall
AsyncJob::start constructed, this=0x1b09300 [call1888]
2022/11/26 11:28:48.288| 93,5| AsyncCall.cc(97) ScheduleCall:
AsyncJob.cc(26) will call AsyncJob::start() [call1888]
2022/11/26 11:28:48.288| 14,7| ipcache.cc(250) forwardIp:
[2600:1901:0:38d7::]
2022/11/26 11:28:48.288| 44,7| peer_select.cc(1149) interestedInitiator:
PeerSelector27
2022/11/26 11:28:48.288| 24,6| SBuf.cc(99) assign: SBuf10502 from c-string,
n=4294967295)
2022/11/26 11:28:48.288| 28,4| FilledChecklist.cc(67) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0x7ffd71e3d440
2022/11/26 11:28:48.288| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x7ffd71e3d440
2022/11/26 11:28:48.288| 24,7| SBuf.cc(209) append: from c-string to id
SBuf10503
2022/11/26 11:28:48.288| 24,7| SBuf.cc(160) rawSpace: reserving 46 for
SBuf10503
2022/11/26 11:28:48.288| 24,7| SBuf.cc(866) reAlloc: SBuf10503 new store
capacity: 128
2022/11/26 11:28:48.288| 44,2| peer_select.cc(1171) handlePath:
PeerSelector27 found conn168 local=[::] remote=[2600:1901:0:38d7::]:80
HIER_DIRECT flags=1, destination #2 for
http://detectportal.firefox.com/canonical.html
2022/11/26 11:28:48.288| 44,2| peer_select.cc(1177) handlePath:
always_direct = DENIED
2022/11/26 11:28:48.288| 44,2| peer_select.cc(1178) handlePath:
never_direct = DENIED
2022/11/26 11:28:48.288| 44,2| peer_select.cc(1179) handlePath:
timedout = 0
2022/11/26 11:28:48.288| 44,7| peer_select.cc(1149) interestedInitiator:
PeerSelector27
2022/11/26 11:28:48.288| 17,3| FwdState.cc(631) noteDestination: conn168
local=[::] remote=[2600:1901:0:38d7::]:80 HIER_DIRECT flags=1
2022/11/26 11:28:48.288| 17,7| FwdState.cc(690) notifyConnOpener: reusing
pending notification about 2+ paths
2022/11/26 11:28:48.288| 14,7| ipcache.cc(231) finalCallback: 0x1af12b8
2022/11/26 11:28:48.288| 44,7| peer_select.cc(1149) interestedInitiator:
PeerSelector27
2022/11/26 11:28:48.288| 44,7| peer_select.cc(1149) interestedInitiator:
PeerSelector27
2022/11/26 11:28:48.288| 24,7| SBuf.cc(209) append: from c-string to id
SBuf10504
2022/11/26 11:28:48.288| 24,7| SBuf.cc(160) rawSpace: reserving 46 for
SBuf10504
2022/11/26 11:28:48.288| 24,7| SBuf.cc(866) reAlloc: SBuf10504 new store
capacity: 128
2022/11/26 11:28:48.288| 44,2| peer_select.cc(479) resolveSelected:
PeerSelector27 found all 2 destinations for
http://detectportal.firefox.com/canonical.html
2022/11/26 11:28:48.288| 44,2| peer_select.cc(480) resolveSelected:
always_direct = DENIED
2022/11/26 11:28:48.288| 44,2| peer_select.cc(481) resolveSelected:
never_direct = DENIED
2022/11/26 11:28:48.288| 44,2| peer_select.cc(482) resolveSelected:
timedout = 0
can anyone help me understand what I'm missing?
thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20221126/35d8b5fe/attachment.htm>
More information about the squid-users
mailing list