[squid-users] TProxy not working (Squid 3.5.12, Ubuntu Server 16.04.1)

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 26 11:12:50 UTC 2016


On 26/10/2016 7:42 p.m., Jens Offenbach wrote:
> Hi,
> I am trying to setup a transparent proxy with Squid 3.5.12 on Ubuntu Server 16.04.1, but I cannot get it working. When a client tries to connect to the web, the connection always times out.
> 
> Hopefully, someone has an idea what's going.
> 
> uname-r:
> 4.4.0-45-generic
> 
> sysct:
> net.ipv4.ip_forward=1
> net.ipv4.conf.default.rp_filter=0
> net.ipv4.conf.all.rp_filter=0
> 
> squid.conf:
> # ACCESS CONTROLS
> # -----------------------------------------------------------------------------
>   acl localnet    src 139.2.0.0/16
>   acl localnet    src 193.96.112.0/21
>   acl localnet    src 192.109.216.0/24
>   acl localnet    src 100.1.4.0/22
>   acl localnet    src 10.0.0.0/8
>   acl localnet    src 172.16.0.0/12
>   acl localnet    src 192.168.0.0/16
>   acl to_localnet dst 139.2.0.0/16
>   acl to_localnet dst 193.96.112.0/21
>   acl to_localnet dst 192.109.216.0/24
>   acl to_localnet dst 100.1.4.0/22
>   acl to_localnet dst 10.0.0.0/8
>   acl to_localnet dst 172.16.0.0/12
>   acl to_localnet dst 192.168.0.0/16
> 

Missing basic security controlsto prevent this being an abused open proxy.
 http_access deny !Safe_Ports
 http_access deny CONNECT !SSL_Ports


>   http_access allow manager localhost
>   http_access deny  manager
>   http_access allow localnet
>   http_access allow localhost
>   http_access allow to_localnet

Permits external visitors uncontrolled access to your LAN IP spaces.
Particularly when combined with the "always_direct allow to_localnet" below.
  Really want that?

>   http_access deny all
> 
> # NETWORK OPTIONS
> # -----------------------------------------------------------------------------
>   http_port 10.30.200.99:3128
>   http_port 10.30.216.254:3128
>   http_port 10.30.216.254:3129 tproxy
> 
> # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
> # -----------------------------------------------------------------------------
>   cache_peer proxy.mycompany.com parent 8080 0 no-query no-digest default
>   cache_peer  roxy.mycompany.com parent 8080 0 no-query no-digest

I suspect the peers are sending TCP SYN+ACK responses directly back to
the client IP which Squid is spoofing.

Add the option "no-tproxy" to these peer lines to avoid that.

> 
> # MEMORY CACHE OPTIONS
> # -----------------------------------------------------------------------------
>   maximum_object_size_in_memory 8 MB
>   memory_replacement_policy heap LFUDA
>   cache_mem 256 MB
> 
> # DISK CACHE OPTIONS
> # -----------------------------------------------------------------------------
>   maximum_object_size 10 GB
>   cache_replacement_policy heap GDSF
>   cache_dir ufs /var/cache/squid 88894 16 256 max-size=10737418240
> 
> # LOGFILE OPTIONS
> # -----------------------------------------------------------------------------
>   access_log daemon:/var/log/squid/access.log squid
>   cache_store_log daemon:/var/log/squid/store.log
> 

store.log is very rarely needed. You might consider removing it for some
extra speed out of the proxy.


> # OPTIONS FOR TROUBLESHOOTING
> # -----------------------------------------------------------------------------
>   cache_log /var/log/squid/cache.log
>   coredump_dir /var/log/squid
>   
> # OPTIONS FOR TUNING THE CACHE
> # -----------------------------------------------------------------------------
>   cache allow all

Unnecessary default value configured.

>   
> # ADMINISTRATIVE PARAMETERS
> # -----------------------------------------------------------------------------
>   visible_hostname my-proxy.mycompany.com
> 
> # ICP OPTIONS
> # -----------------------------------------------------------------------------
>   icp_port 0
> 

Unnecessary default value configured.

> # OPTIONS INFLUENCING REQUEST FORWARDING 
> # -----------------------------------------------------------------------------
>   always_direct allow to_localnet
>   always_direct allow to_localhost
>   never_direct  allow all
> 

Amos



More information about the squid-users mailing list