[squid-users] TProxy not working (Squid 3.5.12, Ubuntu Server 16.04.1)
Amos Jeffries
squid3 at treenet.co.nz
Wed Oct 26 11:12:50 UTC 2016
On 26/10/2016 7:42 p.m., Jens Offenbach wrote:
> Hi,
> I am trying to setup a transparent proxy with Squid 3.5.12 on Ubuntu Server 16.04.1, but I cannot get it working. When a client tries to connect to the web, the connection always times out.
>
> Hopefully, someone has an idea what's going.
>
> uname-r:
> 4.4.0-45-generic
>
> sysct:
> net.ipv4.ip_forward=1
> net.ipv4.conf.default.rp_filter=0
> net.ipv4.conf.all.rp_filter=0
>
> squid.conf:
> # ACCESS CONTROLS
> # -----------------------------------------------------------------------------
> acl localnet src 139.2.0.0/16
> acl localnet src 193.96.112.0/21
> acl localnet src 192.109.216.0/24
> acl localnet src 100.1.4.0/22
> acl localnet src 10.0.0.0/8
> acl localnet src 172.16.0.0/12
> acl localnet src 192.168.0.0/16
> acl to_localnet dst 139.2.0.0/16
> acl to_localnet dst 193.96.112.0/21
> acl to_localnet dst 192.109.216.0/24
> acl to_localnet dst 100.1.4.0/22
> acl to_localnet dst 10.0.0.0/8
> acl to_localnet dst 172.16.0.0/12
> acl to_localnet dst 192.168.0.0/16
>
Missing basic security controlsto prevent this being an abused open proxy.
http_access deny !Safe_Ports
http_access deny CONNECT !SSL_Ports
> http_access allow manager localhost
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access allow to_localnet
Permits external visitors uncontrolled access to your LAN IP spaces.
Particularly when combined with the "always_direct allow to_localnet" below.
Really want that?
> http_access deny all
>
> # NETWORK OPTIONS
> # -----------------------------------------------------------------------------
> http_port 10.30.200.99:3128
> http_port 10.30.216.254:3128
> http_port 10.30.216.254:3129 tproxy
>
> # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
> # -----------------------------------------------------------------------------
> cache_peer proxy.mycompany.com parent 8080 0 no-query no-digest default
> cache_peer roxy.mycompany.com parent 8080 0 no-query no-digest
I suspect the peers are sending TCP SYN+ACK responses directly back to
the client IP which Squid is spoofing.
Add the option "no-tproxy" to these peer lines to avoid that.
>
> # MEMORY CACHE OPTIONS
> # -----------------------------------------------------------------------------
> maximum_object_size_in_memory 8 MB
> memory_replacement_policy heap LFUDA
> cache_mem 256 MB
>
> # DISK CACHE OPTIONS
> # -----------------------------------------------------------------------------
> maximum_object_size 10 GB
> cache_replacement_policy heap GDSF
> cache_dir ufs /var/cache/squid 88894 16 256 max-size=10737418240
>
> # LOGFILE OPTIONS
> # -----------------------------------------------------------------------------
> access_log daemon:/var/log/squid/access.log squid
> cache_store_log daemon:/var/log/squid/store.log
>
store.log is very rarely needed. You might consider removing it for some
extra speed out of the proxy.
> # OPTIONS FOR TROUBLESHOOTING
> # -----------------------------------------------------------------------------
> cache_log /var/log/squid/cache.log
> coredump_dir /var/log/squid
>
> # OPTIONS FOR TUNING THE CACHE
> # -----------------------------------------------------------------------------
> cache allow all
Unnecessary default value configured.
>
> # ADMINISTRATIVE PARAMETERS
> # -----------------------------------------------------------------------------
> visible_hostname my-proxy.mycompany.com
>
> # ICP OPTIONS
> # -----------------------------------------------------------------------------
> icp_port 0
>
Unnecessary default value configured.
> # OPTIONS INFLUENCING REQUEST FORWARDING
> # -----------------------------------------------------------------------------
> always_direct allow to_localnet
> always_direct allow to_localhost
> never_direct allow all
>
Amos
More information about the squid-users
mailing list