[squid-users] Using Squid as a Transparent Proxy
Amos Jeffries
squid3 at treenet.co.nz
Fri Apr 24 03:42:51 UTC 2015
On 24/04/2015 2:29 p.m., Srinath Krishna wrote:
> Hello all,
>
> I'm trying my hands with openvswitch and squid. This is what I want to
> achieve.
>
> The client tries to connect to the server. This packet is handled through
> an openvswitch and it's sent to a machine running squid for proxying. The
> machine running squid sees the packet with client to server but iptables
> rules help in delivering this packet up the stack. On a cache hit, squid
> responds back to the client and also installs iptables rules on the fly and
> hence the source IP is that of the server.
No. Squid has nothing to do with any of that. The kernel TPROXY module
does it all.
>
> This is achieved through the following configuration in squid.conf.
>
> http_port 3128 intercept
>
"intercept" means NAT. Which cannot do what you are asking for.
> With this configuration however, on a cache miss case, squid uses it's IP
> address as the source IP to connect to the server. What I expect is squid
> to use the client's IP address to establish this new connection to the
> server. From the squid.conf, I believe I need to use the tproxy mode with
Correct.
> the http_port directive, but I'm stumped about what iptables rules to
> configure.
That would be the lines listed in
<http://wiki.squid-cache.org/Features/Tproxy4#iptables_Configuration>
Also, make sure that any rules in the "iptable -t nat " which you may
have setup for the NAT intercept configuration are removed. They *will*
break TPROXY kernel module operations.
iptables is just one of many networking layers than need configuring
though before TPROXY will work. The rest of the page explains.
>
> I'm trying to follow the steps here (
> http://wiki.squid-cache.org/Features/Tproxy4#Feature:_TPROXY_version_4.1.2B-_Support)
> but no luck yet. And I don't understand why I'd need to use WCCP for
> something like this.
You dont. Please read the _title_ of the WCCP section again. Slowly.
>
> I expect squid to use the client's IP address and the reverse traffic from
> the server will make it's way to squid's box through openvswitch.
You expect a lot. Behind the single tproxy flag in squid.conf the entire
routing system of your whole network has to be configured to ensure that
above "expected" flow is what the packets actually do.
If there is any potential path through the network where server packets
can reach the client directly without being diverted back through Squid
there will be hanging connections. The client will drop them because the
TCP connection was not client initiated.
> All squid
> has to do is install an iptable rule on the fly for the outgoing connection
> to use the client's IP address and also have a corresponding reverse rule
> to translate from the client's IP address to squid's IP address.
That is the purpose of the TPROXY kernel module. It does all the
netfilter/firewall bits when instructed to by Squid.
>
> The kernel that I'm using is 3.16 and it has the nf_conntrack and xt_TPROXY
> modules insmoded. Can someone help me with this?
>
Provided you also have a recent Squid version, built with the
appropriate components (netfilter and libcap2).
All you should need is the configuration in section 1.3, 1.5, 1.6.1, and
possibly 1.7 of that Tproxy4 wiki page.
Amos
More information about the squid-users
mailing list