[squid-users] intercept vs. accel vhost allow-direct

sknz sakibnizam at gmail.com
Fri Sep 13 08:12:39 UTC 2019


Hello Amos,
For clarification, I'm running an AP-Hotspot server(coovachilli, freeradius,
squid, etc.) with two NIC(eth0 and eth1). eth0 is for WAN(internet) and eth1
is for managing LAN(APs). Coovachilli is created tun0 under the eth1
interface. I'm using squid-3.4.8 as an HTTP transparent proxy.

# Hardware Setup Diagram <https://i.stack.imgur.com/sKF9e.png> 

# ifconfig:
eth0    Link encap:Ethernet  HWaddr d8:cb:8a:53:b5:ff
          inet addr:192.168.0.100  Bcast:192.168.0.255  Mask:255.255.255.0
          RX bytes:145897 (142.4 KiB)  TX bytes:86949 (84.9 KiB)

eth1    Link encap:Ethernet  HWaddr 00:e0:4c:53:44:58
          inet6 addr: fe80::2e0:4cff:fe53:4458/64 Scope:Link
          RX bytes:178346 (174.1 KiB)  TX bytes:366000 (357.4 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          RX bytes:15724 (15.3 KiB)  TX bytes:15724 (15.3 KiB)

tun0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00
          inet addr:10.1.0.1  P-t-P:10.1.0.1  Mask:255.255.255.0
          RX bytes:111251 (108.6 KiB)  TX bytes:347971 (339.8 KiB)


# This is my updated squid.conf as your suggestion, 3129 for forward-proxy
and 3130 for intercepting HTTP:
http_port 3129
http_port 3130 intercept


# Squid is listening on expected ports; netstat -tunlp:
tcp6   0   0 :::3129    :::*    LISTEN      1754/(squid-1)
tcp6   0   0 :::3130    :::*    LISTEN      1754/(squid-1)
udp6  0  0 :::41845   :::*                     1754/(squid-1)


#Squid is not throwing any error; tail -4 /etc/squid3/cache.log:
Accepting HTTP Socket connections at local=[::]:3129 remote=[::] FD 11
flags=9
Accepting NAT intercepted HTTP Socket connections at local=[::]:3130
remote=[::] FD 12 flags=41
ICMP socket opened.
storeLateRelease: released 0 objects


# No response, if I do SquidClient under SSH to server; squidclient -p 3129
http://www.example.com
Sending HTTP request ... done.


I've tried removing all "-i" options and updating mangle rules as your
suggestion from iptables; no effects on it. I've opened intercept port also.
This is my original iptables with adjusted rules:

#nat
-A PREROUTING -s 10.1.0.0/24 ! -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport
80 -j REDIRECT --to-ports 3130    #redirect http to squid intercept port
-A POSTROUTING -o eth0 -j MASQUERADE

#mangle
-A PREROUTING -s 10.1.0.0/24 -d 10.1.0.1/32 -p tcp -m tcp --dport 3130 -j
DROP    #drop direct attempts to proxy intercept port
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu

#filters
-A INPUT -i eth1 -j DROP
-A INPUT -d 10.1.0.1/32 -i tun0 -p icmp -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 255.255.255.255/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3130 -j ACCEPT   
#squid intercept
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3129 -j ACCEPT   
#squid forward
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT   
#chilli controller
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 2812 -j ACCEPT #
freeradius
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 443 -j ACCEPT    #
https
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT    #http
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 4990 -j ACCEPT   
#hotspot UAM
-A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT 
-A INPUT -d 10.1.0.1/32 -i tun0 -j DROP
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i tun0 ! -o eth0 -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
-A FORWARD -o tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o eth1 -j DROP
-A FORWARD -i eth1 -j DROP


So from here, all I can do HTTPS connection, no HTTP connection allowed from
AP side.











--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html


More information about the squid-users mailing list