[squid-users] Tunnelled devices losing access to squid
Raymond Norton
admin at lctn.org
Fri Feb 6 14:37:11 UTC 2015
I have the following scenario:
We have a number of Verizon Aps configured to run associated devices through a GRE
tunnel between Verizon and our network, using a 10.99.0.0/16 subnet which
is NATed to a public address. Policy based routing sends all
port 80 and 443 traffic originating from 10.99.0.0/16 to qlproxy IP
(10.10.1.85) (squid proxy). IPtables on qlproxy box port-forwards all 80
and 443 traffic to 3126 & 3127. Qlproxy (4.0) has appropriate
transparent and ssl_bump rules to process incoming traffic.
Squid logs show the request for web pages is made via the policy based
routing (Mikrotik Firewall/Router), but nothing is returned to the
requesting device. It just simply times out after a long wait.
However, if I configure a tunnelled device to use port 3128 in the proxy
settings of the browser, or if a tunnelled device requests the proxy url
via port 80, web requests start working, as expected for the configured
device , as well as for all devices that are hitting the proxy
transparently from the tunnel.
This will work as long as some form of traffic from the tunnelled
devices is generated. If things are left dormant for 3-5 minutes traffic
will stop working again, until a device requests the proxy url via port
80. As a workaround to minimize complaints I created a cron job, using
wget of the proxy url, which runs every couple minutes. As long as the
wget command runs, Internet works fine for all tunnelled devices.
On a side note, policy routing of local 10.10.0.0/16 devices works just
fine running through the proxy transparently, without interruptions,
even when the tunnelled devices cease working. Internet works fine if we
send tunnelled traffic through and NAT the same as the 10.10.0.0/16 network, bypassing the proxy
Squid config:
icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_service_failure_limit -1
icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf"
acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf"
adaptation_access qlproxy1 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_etypes
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
include "/opt/qlproxy/etc/squid/squid.acl"
http_port 3126 transparent
https_port 3127 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
forward_max_tries 25
cache_mem 1024 MB
maximum_object_size_in_memory 1024 KB
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
shutdown_lifetime 3 seconds
visible_hostname qlproxy
always_direct allow all
icap_enable on
icap_service_failure_limit -1
icap_preview_enable on
icap_persistent_connections on
adaptation_send_client_ip on
adaptation_send_username on
icap_service qlproxy1 reqmod_precache icap://127.0.0.1:1344/reqmod bypass=0
icap_service qlproxy2 respmod_precache icap://127.0.0.1:1344/respmod bypass=0
acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf"
acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf"
adaptation_access qlproxy1 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_etypes
acl icap_bypass_to_localnet dst 10.0.0.0/8
acl icap_bypass_to_localnet dst 172.16.0.0/12
acl icap_bypass_to_localnet dst 192.168.0.0/16
adaptation_access qlproxy1 deny icap_bypass_to_localnet
adaptation_access qlproxy2 deny icap_bypass_to_localnet
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all
dns_v4_first on
--
Raymond Norton
LCTN
952.955.7766
More information about the squid-users
mailing list