我有一个Sqiud代理服务器,我试图添加透明度来使用拦截function。 目前,代理服务器作为用户的独立代理接受并运行良好。 但是,当我添加截取参数的conf文件停止工作。
我已经validation了代理服务器上的tcpdump,我的iptable规则正确地将用户redirect到服务器。 我也按照主要的鱿鱼网站上的说明编译了鱿鱼–enable-linux-netfliter。 见下文。
鱿鱼-v
Squid Cache: Version 3.3.4 configure options: '--sbindir=/usr/sbin' '--bindir=/usr/bin' '--includedir=/usr/include' '--libdir=/usr/lib' '--enable-linux-netfilter' '--enable-inline' '--enable-ssl' '--enable-ssl-crtd' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=session' '--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-open-ssl=/usr/lib/ssl/openssl.cnf' --enable-ltdl-convenience
在我的squid.conf文件中
acl network src 10.0.0.0/24 #port connections acl Safe_ports port 80 # http acl Safe_ports port 8080 acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl SSL_ports port 443 acl SSL method CONNECT acl CONNECT method CONNECT http_access allow network # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # And finally deny all other access to this proxy http_access deny all #proxy port http_port 10.0.1.5:3128 #intercept bind address http_port 10.0.1.5:8080 intercept ...omitted...
我有两个端口3128和8080. 8080被设置为接受透明连接与截获参数。 原因是移民。
所以我有点困惑的问题,因为我有正确的编译选项和http请求正在由iptable防火墙正确redirect。
我的ACL有什么问题吗?
谢谢,
吉姆
增加了iptables规则:eth0是公共接口
-A PREROUTING -s 10.0.0.0/24 ! -d 10.0.1.5/32 -p tcp -m tcp --dport 80 -m comment --comment "Redirect HTTP from Internal Network to SquidProxy Server" -j DNAT --to-destination 10.0.1.5:8080
这将使任何不直接注定为10.0.1.5:80的源IP将被redirect到10.0.1.5:8080代理服务器。
以下是为squid设置了-d标志的syslog输出:
May 14 16:20:40 squidproxy squid[22071]: Starting Squid Cache version 3.3.4 for x86_64-unknown-linux-gnu... May 14 16:20:40 squidproxy squid[22071]: Process ID 22071 May 14 16:20:40 squidproxy squid[22071]: Process Roles: master worker May 14 16:20:40 squidproxy squid[22071]: With 65536 file descriptors available May 14 16:20:40 squidproxy squid[22071]: Initializing IP Cache... May 14 16:20:40 squidproxy squid[22071]: DNS Socket created at [::], FD 6 May 14 16:20:40 squidproxy squid[22071]: DNS Socket created at 0.0.0.0, FD 7 May 14 16:20:40 squidproxy squid[22071]: Adding nameserver 10.0.1.3 from squid.conf May 14 16:20:40 squidproxy squid[22071]: helperOpenServers: Starting 1/1 'ext_session_acl' processes May 14 16:20:40 squidproxy squid[22071]: Logfile: opening log /var/log/squid3/access.log May 14 16:20:40 squidproxy squid[22071]: WARNING: log parameters now start with a module name. Use 'stdio:/var/log/squid3/access.log' May 14 16:20:40 squidproxy squid[22071]: Unlinkd pipe opened on FD 14 May 14 16:20:40 squidproxy squid[22071]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec May 14 16:20:40 squidproxy squid[22071]: Logfile: opening log /var/log/squid3/store.log May 14 16:20:40 squidproxy squid[22071]: WARNING: log parameters now start with a module name. Use 'stdio:/var/log/squid3/store.log' May 14 16:20:40 squidproxy squid[22071]: Swap maxSize 2097152 + 1048576 KB, estimated 241979 objects May 14 16:20:40 squidproxy squid[22071]: Target number of buckets: 12098 May 14 16:20:40 squidproxy squid[22071]: Using 16384 Store buckets May 14 16:20:40 squidproxy squid[22071]: Max Mem size: 1048576 KB May 14 16:20:40 squidproxy squid[22071]: Max Swap size: 2097152 KB May 14 16:20:40 squidproxy squid[22071]: Rebuilding storage in /home/user/squidcache/ (dirty log) May 14 16:20:40 squidproxy squid[22071]: Using Least Load store dir selection May 14 16:20:40 squidproxy squid[22071]: Current Directory is /root May 14 16:20:40 squidproxy squid[22071]: Loaded Icons. May 14 16:20:40 squidproxy squid[22071]: HTCP Disabled. May 14 16:20:40 squidproxy squid[22071]: Squid plugin modules loaded: 0 May 14 16:20:40 squidproxy squid[22071]: Adaptation support is off. May 14 16:20:40 squidproxy squid[22071]: Accepting HTTP Socket connections at local=10.0.1.5:3128 remote=[::] FD 18 flags=9 May 14 16:20:40 squidproxy squid[22071]: Accepting NAT intercepted HTTP Socket connections at local=10.0.1.5:8080 remote=[::] FD 19 flags=41 May 14 16:20:40 squidproxy squid[22071]: Done reading /home/user/squidcache/ swaplog (348 entries) May 14 16:20:40 squidproxy squid[22071]: Finished rebuilding storage from disk. May 14 16:20:40 squidproxy squid[22071]: 343 Entries scanned May 14 16:20:40 squidproxy squid[22071]: 0 Invalid entries. May 14 16:20:40 squidproxy squid[22071]: 0 With invalid flags. May 14 16:20:40 squidproxy squid[22071]: 338 Objects loaded. May 14 16:20:40 squidproxy squid[22071]: 0 Objects expired. May 14 16:20:40 squidproxy squid[22071]: 5 Objects cancelled. May 14 16:20:40 squidproxy squid[22071]: 0 Duplicate URLs purged. May 14 16:20:40 squidproxy squid[22071]: 0 Swapfile clashes avoided. May 14 16:20:40 squidproxy squid[22071]: Took 0.02 seconds (14687.35 objects/sec). May 14 16:20:40 squidproxy squid[22071]: Beginning Validation Procedure May 14 16:20:40 squidproxy squid[22071]: Completed Validation Procedure May 14 16:20:40 squidproxy squid[22071]: Validated 338 Entries May 14 16:20:40 squidproxy squid[22071]: store_swap_size = 4312.00 KB May 14 16:20:41 squidproxy squid[22071]: storeLateRelease: released 0 objects
刚刚在日志中得到这些:
NF getsockopt(SO_ORIGINAL_DST) failed on local=10.0.1.5:8080 remote=10.0.0.231:49650 FD 31 flags=33: (92) Protocol not available