[squid-users] Transparent Proxy on OSX Yosemite
Amos Jeffries
squid3 at treenet.co.nz
Thu Sep 1 15:05:24 UTC 2016
On 1/09/2016 5:59 a.m., Shively, Gregory wrote:
>> On 31/08/2016 11:19 a.m., Shively, Gregory wrote:
>
>>> I'm attempting to get a squid working as a transparent proxy on
>>> OSX
>
>>> Yosemite. Every attempt ended with a "Forward loop detected". I
>
>>> initially started with the version from homebrew and moved to
>>> just
>
>>> compiling myself to see if I could figure out what was going on.
>
>>> Being new to both pf network and squid, it might be something
>>> that I
>
>>> have configured wrong. I configured pf similar to:
>
>>>
>
>>> nat on $ext_if proto {udp, tcp} from $int_if:network to any port
>>> domain -> ($ext_if)
>
>>> rdr pass on $int_if proto tcp from $int_if:network to any port
>
>>> {http, https} -> 127.0.0.1 port 3129
>
>>>
>
>>> And my squid.conf for my testing is basically:
>
>>>
>
>>> http_port 3128
>
>>> http_port 3129 intercept
>
>>> http_access allow all
>
>>>
>
>
>
>>> I'm not sure if this is more appropriate on this mailing list or
>>> the
>
>>> developer mailing list (hoping it is just something I'm doing
>>> wrong).
>
>>> The squid that I'm using doesn't have -with-nat-devpf enabled;
>>> it
>
>>> fails to compile with that option. I'm wondering if the
>>> getsockname()
>
>>> as per comment for PFIntercept (of the !_USE_NAT_DEVPF) in
>
>>> src/ip/Intercept.cc, on OSX is not returning the pre-rdr address
>>> and
>
>>> causing the forward loop.
>
>
>
>> Your access.log can show that. It shows up as the server the
>> transaction is being sent to being port 3128/3129 on 127.0.0.1 or
>> another IP assigned to the Squid machine.
>
>
>
> It looks like I get 2 associated TCP_MISS entries in the access.log,
saying what? *exact details* are important for debugging these types of
issue.
> followed by entries that looks like they are associated with the
> access denied error screen. All generate the forwarding loop warning
> when running squid in debug. I also had the pf logging and see the
> rdr getting redirected, plus had started netcat listening on 3129
> prior to starting squid and saw the HTTP request come in.
>
The netcat test tells nothing you dont already know. A forwarding loop
by definition is the request arriving into Squid, then going out and
coming right back a second time (thus 2+ access.log entries).
netcat test only shows the first arrival, which is of course normal. It
also does not perform the NAT lookup and de-mangling Squid does - so
wont show if that is part of the problem or not.
>> * check the PF version in your MacOS. If it derives from OpenBSD
>> 4.8 or later then the .dev.pf is not relevant - rdr/divert-to
>> failure is then a bug somewhere AFAIK.
>
>
>
> I tried using both the internal and external interface IP addresses
> on the rdr rule. Both ended in the same forward loop. And it doesn't
> look like, at least Yosemite, has the option to use the divert-to in
> the firewall rules. I can't seem to find the reference, but I think
> that the pf in OSX is based around OpenBSD 4.4 or 4.5, but don't hold
> me to it. I'm guessing that is the reason that the divert-to is not
> available. I can look at an El Capt machine, but don't currently have
> access.
>
>
>
> Thanks for the help on getting this setup. I had put some code in the
> PfInterception method to replace the "local" address that I pulled
> from running the pfctl -s state command and it did change the
> results. But I'm thinking that I might have gotten the host or port
> in the "address" object incorrectly - it didn't seem to work and
> further connections just errored out. When I get a change will take a
> more detailed look and verify I'm getting the addresses in the
> correct form.
Okay. I'm thinking its not misconfiguration then and since it seems to
be a Mac-specific PF based on the old /vdev/pf logic you are going down
the right path.
If you can get it working I will take the patch. Wrap the Mac-specific
new bits in " #if _SQUID_APPLE_ " and the missing header include line
with " #if !_SQUID_APPLE_ ".
Amos
More information about the squid-users
mailing list