[squid-users] Connect strongSwan and Squid on same server
Varun Singh
varun.singh at gslab.com
Thu Jan 19 07:00:54 UTC 2017
Hi,
I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
16.04 server and I am trying to connect both. By connect I mean, I am
trying to achieve following:
[VPN Client] <------> [VPN Server] <-> [Squid] <------> [Internet]
My objective is to connect a VPN client to VPN server and use Squid
for filtering out blocked Urls. strongSwan and Squid work fine on
their own. I can access internet when connected to VPN server and also
when configured HTTP Proxy without VPN.
>From what I understand, to achieve what I want, I am supposed to
redirect incoming HTTP traffic from port 80 to port using IPTables. I
enter following IPTables rule:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
Once I do this and try to access internet from a connected VPN client,
I get error. Pasting a log of /var/log/squid/access.log
1484738365.632 0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
1484738365.642 0 114.143.194.190 TCP_DENIED/403 4870 GET
http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
- HIER_NONE/- text/html
1484738365.643 0 114.143.194.190 TCP_DENIED/403 4852 GET
http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
- HIER_NONE/- text/html
1484738365.731 0 114.143.194.190 TCP_DENIED/403 4753 GET
http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
1484738365.760 0 114.143.194.190 TCP_DENIED/403 4817 GET
http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
- HIER_NONE/- text/html
1484738367.798 0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
init.itunes.apple.com:443 - HIER_NONE/- text/html
1484738367.922 0 114.143.194.190 TCP_DENIED/403 4334 GET
http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
HIER_NONE/- text/html
1484738367.963 0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
1484738368.036 0 114.143.194.190 TCP_DENIED/403 4298 GET
http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
text/html
1484738368.148 0 114.143.194.190 TCP_DENIED/403 4352 GET
http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
1484738368.255 0 114.143.194.190 TCP_DENIED/403 4352 GET
http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
1484738368.296 0 114.143.194.190 TCP_DENIED/403 4316 GET
http://www.apple.com/apple-touch-icon-precomposed.png - HIER_NONE/-
text/html
1484738368.348 0 114.143.194.190 TCP_DENIED/403 4253 GET
http://www.apple.com/favicon.ico - HIER_NONE/- text/html
1484738376.374 0 114.143.194.190 TCP_DENIED/403 4655 GET
http://www.apple.com/ - HIER_NONE/- text/html
1484738376.456 0 114.143.194.190 TCP_DENIED/403 4711 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484738385.761 0 114.143.194.190 TCP_DENIED/403 4655 GET
http://www.apple.com/ - HIER_NONE/- text/html
1484738385.828 0 114.143.194.190 TCP_DENIED/403 4747 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484738858.272 0 10.99.1.1 TAG_NONE/400 4154 GET
/assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
- HIER_NONE/- text/html
1484738858.990 0 10.99.1.1 TAG_NONE/400 4004 GET
/us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
1484738860.362 0 10.99.1.1 TAG_NONE/400 5350 GET
/b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1&ndh=1&t=18%2F0%2F2017%2016%3A57%3A40%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=4&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
- HIER_NONE/- text/html
1484739056.258 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
1484739056.480 0 10.99.1.1 TCP_DENIED/403 4290 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484739057.106 0 10.99.1.1 TAG_NONE/400 3994 GET
/apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
1484739057.166 0 10.99.1.1 TAG_NONE/400 3970 GET
/apple-touch-icon-76x76.png - HIER_NONE/- text/html
1484739057.211 0 10.99.1.1 TAG_NONE/400 3958 GET
/apple-touch-icon.png - HIER_NONE/- text/html
1484739057.267 0 10.99.1.1 TAG_NONE/400 3958 GET
/apple-touch-icon.png - HIER_NONE/- text/html
1484739057.340 0 10.99.1.1 TAG_NONE/400 3982 GET
/apple-touch-icon-precomposed.png - HIER_NONE/- text/html
1484739057.436 0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
HIER_NONE/- text/html
1484739060.563 0 10.99.1.1 TAG_NONE/400 3924 GET /bag -
HIER_NONE/- text/html
1484739071.241 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
1484739071.439 0 10.99.1.1 TCP_DENIED/403 4290 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484739092.972 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
1484739093.151 0 10.99.1.1 TCP_DENIED/403 4621 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484739093.306 0 10.99.1.1 TAG_NONE/400 3994 GET
/apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
1484739093.364 0 10.99.1.1 TAG_NONE/400 3970 GET
/apple-touch-icon-76x76.png - HIER_NONE/- text/html
1484739093.427 0 10.99.1.1 TAG_NONE/400 3958 GET
/apple-touch-icon.png - HIER_NONE/- text/html
1484739093.480 0 10.99.1.1 TAG_NONE/400 3958 GET
/apple-touch-icon.png - HIER_NONE/- text/html
1484739093.529 0 10.99.1.1 TAG_NONE/400 3982 GET
/apple-touch-icon-precomposed.png - HIER_NONE/- text/html
1484739093.578 0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
HIER_NONE/- text/html
1484741172.545 0 123.240.104.249 TAG_NONE/400 3924 GET / -
HIER_NONE/- text/html
1484742330.250 0 10.99.1.2 TAG_NONE/400 4444 NONE
error:invalid-request - HIER_NONE/- text/html
1484742335.479 0 10.99.1.2 TAG_NONE/400 4220
%E1%89%C5%01%DCd%95A-%D0%16%9B%98%7F7%D3%12%80%F3%BB%A4mm%13%60%B4%E1%B7%D9%C0j%11
- HIER_NONE/- text/html
1484742335.538 0 10.99.1.2 TAG_NONE/400 4234
%BB%E1%89%C5%01%DCd%95A-%D0%16%9B%98%7F7%D3%12%80%F3%BB%A4mm%13%60%B4%E1%B7%D9%C0j%11
- HIER_NONE/- text/html
1484742335.605 0 10.99.1.2 TAG_NONE/400 4444 NONE
error:invalid-request - HIER_NONE/- text/html
1484742335.691 0 10.99.1.2 TAG_NONE/400 4444 NONE
error:invalid-request - HIER_NONE/- text/html
1484742339.640 0 10.99.1.2 TAG_NONE/400 4022
%C6%CF%91Pv%85%82l%DEbD%1F%E0 - HIER_NONE/- text/html
1484742339.697 0 10.99.1.2 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
1484742339.885 0 10.99.1.2 TCP_DENIED/403 4556 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484742340.105 0 10.99.1.2 TAG_NONE/400 3994 GET
/apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
1484742340.195 0 10.99.1.2 TAG_NONE/400 3970 GET
/apple-touch-icon-76x76.png - HIER_NONE/- text/html
1484742340.258 0 10.99.1.2 TAG_NONE/400 3958 GET
/apple-touch-icon.png - HIER_NONE/- text/html
1484742340.309 0 10.99.1.2 TAG_NONE/400 3958 GET
/apple-touch-icon.png - HIER_NONE/- text/html
1484742340.359 0 10.99.1.2 TAG_NONE/400 3982 GET
/apple-touch-icon-precomposed.png - HIER_NONE/- text/html
1484742340.413 0 10.99.1.2 TAG_NONE/400 3940 GET /favicon.ico -
HIER_NONE/- text/html
1484742378.858 0 10.99.1.2 TAG_NONE/400 4444 NONE
error:invalid-request - HIER_NONE/- text/html
1484742510.612 0 10.99.1.2 TAG_NONE/400 4444 NONE
error:invalid-request - HIER_NONE/- text/html
1484742517.730 0 10.99.1.2 TAG_NONE/400 4444 NONE
error:invalid-request - HIER_NONE/- text/html
1484744550.653 0 10.99.1.2 TAG_NONE/400 4174 GET
/MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFHQkFGcGn%2FXgmD9ePhproGUqVBV1BBQBWavn3ToLWaZkY9bPIAdX1ZHnagIQBHT%2BRrNCtgO6lb6fVDjflA%3D%3D
- HIER_NONE/- text/html
1484744597.163 0 10.99.1.1 TAG_NONE/400 4022 GET
/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
text/html
1484744597.361 0 10.99.1.1 TAG_NONE/400 4034 GET
/ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
HIER_NONE/- text/html
1484744599.970 0 10.99.1.1 TAG_NONE/400 5352 GET
/b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s62860188740305?AQB=1&ndh=1&t=18%2F0%2F2017%2018%3A33%3A19%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=2&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
- HIER_NONE/- text/html
1484744606.878 0 10.99.1.1 TAG_NONE/400 4022 GET
/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
text/html
1484744606.879 0 10.99.1.1 TAG_NONE/400 4034 GET
/ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
HIER_NONE/- text/html
1484744608.852 0 10.99.1.1 TAG_NONE/400 5352 GET
/b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s68294376337435?AQB=1&ndh=1&t=18%2F0%2F2017%2018%3A33%3A28%203%20-330&fid=21A4DCCB11396F92-26B205C305B2B2DF&pageName=apple%20-%20index%2Ftab%20%28us%29&g=http%3A%2F%2Fwww.apple.com%2F&cc=USD&ch=www.us.homepage&server=new%20approach%20ac-analytics&v3=aos%3A%20us&c4=D%3Dg&c5=ipad&c9=ios%209.3.5&c19=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29&c20=aos%3A%20us&c25=direct%20entry&c48=3&c49=D%3D2C39962A85032063-4000118780008FDC&v54=http%3A%2F%2Fwww.apple.com%2F&h1=www.us.homepage&s=768x1024&c=32&j=1.6&v=N&k=Y&bw=768&bh=960&AQE=1
- HIER_NONE/- text/html
1484744615.457 0 10.99.1.1 TAG_NONE/400 4022 GET
/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css - HIER_NONE/-
text/html
1484744615.526 0 10.99.1.1 TAG_NONE/400 4008 GET
/metrics/ac-analytics/1.1/scripts/auto-init.js - HIER_NONE/- text/html
1484744615.587 0 10.99.1.1 TAG_NONE/400 4034 GET
/ac/globalfooter/2.0/en_US/scripts/ac-globalfooter.built.js -
HIER_NONE/- text/html
1484744625.891 0 10.99.1.1 TAG_NONE/400 3952 GET
/retail/geniusbar/ - HIER_NONE/- text/html
1484744626.062 0 10.99.1.1 TCP_MEM_HIT/200 11731 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- image/png
1484744643.114 0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
1484744643.268 0 10.99.1.1 TCP_MEM_HIT/200 11731 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- image/png
1484746410.764 0 108.189.96.202 TAG_NONE/400 3923 GET / -
HIER_NONE/- text/html
1484751091.543 0 153.142.43.105 TAG_NONE/400 3923 GET / -
HIER_NONE/- text/html
My /etc/squid/squid.conf file has only one change and that is:
http_access allow all
Following is my /etc/ipsec.conf file:
config setup
strictcrlpolicy=no
uniqueids = no
conn %default
mobike=yes
dpdaction=clear
dpddelay=35s
dpdtimeout=200s
fragmentation=yes
conn iOS-IKEV2
auto=add
keyexchange=ike
eap_identity=%any
left=%any
leftsubnet=0.0.0.0/0
rightsubnet=10.99.1.0/24
leftauth=psk
leftid=%any
right=%any
rightsourceip=10.99.1.0/24
rightauth=eap-mschapv2
rightid=%any
Following is NAT IPTables entries. I get this by entering sudo
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp
dpt:http redir ports 3128
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.99.1.0/24 anywhere
If any of you have faced this problem before and was able to resolve
it, can you please help me? Thanks.
--
Regards,
Varun
More information about the squid-users
mailing list