Eu tenho um servidor Proxy Sqiud que estou tentando adicionar Transparência ao uso do recurso Interceptar. Atualmente, o servidor proxy aceita e funciona bem como um proxy independente para os usuários. No entanto, quando eu adiciono o parâmetro Intercept ao arquivo conf, ele pára de funcionar.
Eu verifiquei com o tcpdump no servidor Proxy que minhas regras de iptable estão redirecionando corretamente os usuários para o servidor. Eu também compilei o squid com o --enable-linux-netfliter conforme instruído no site principal do squid. Veja abaixo.
squid -v
Squid Cache: Version 3.3.4
configure options: '--sbindir=/usr/sbin' '--bindir=/usr/bin' '--includedir=/usr/include' '--libdir=/usr/lib' '--enable-linux-netfilter' '--enable-inline' '--enable-ssl' '--enable-ssl-crtd' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=session' '--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-open-ssl=/usr/lib/ssl/openssl.cnf' --enable-ltdl-convenience
No meu arquivo squid.conf
acl network src 10.0.0.0/24
#port connections
acl Safe_ports port 80 # http
acl Safe_ports port 8080
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl SSL_ports port 443
acl SSL method CONNECT
acl CONNECT method CONNECT
http_access allow network
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# And finally deny all other access to this proxy
http_access deny all
#proxy port
http_port 10.0.1.5:3128
#intercept bind address
http_port 10.0.1.5:8080 intercept
...omitted...
Eu tenho duas portas 3128 e 8080. 8080 está configurado para aceitar conexões transparentes com o parâmetro de interceptação. A razão é para a migração.
Então, estou um pouco confuso com o problema, já que tenho as opções de compilação corretas e as solicitações http estão sendo redirecionadas pelo firewall do iptable corretamente.
Há algo de errado com minhas ACLs?
Obrigado,
Jim
Adicionada regra iptables: eth0 é interface pública
-A PREROUTING -s 10.0.0.0/24 ! -d 10.0.1.5/32 -p tcp -m tcp --dport 80 -m comment --comment "Redirect HTTP from Internal Network to SquidProxy Server" -j DNAT --to-destination 10.0.1.5:8080
Isso fará com que qualquer IP de origem não destinado diretamente a 10.0.1.5:80 seja redirecionado para o servidor proxy 10.0.1.5:8080.
Aqui está a saída do syslog com o sinalizador -d definido para o Squid:
May 14 16:20:40 squidproxy squid[22071]: Starting Squid Cache version 3.3.4 for x86_64-unknown-linux-gnu...
May 14 16:20:40 squidproxy squid[22071]: Process ID 22071
May 14 16:20:40 squidproxy squid[22071]: Process Roles: master worker
May 14 16:20:40 squidproxy squid[22071]: With 65536 file descriptors available
May 14 16:20:40 squidproxy squid[22071]: Initializing IP Cache...
May 14 16:20:40 squidproxy squid[22071]: DNS Socket created at [::], FD 6
May 14 16:20:40 squidproxy squid[22071]: DNS Socket created at 0.0.0.0, FD 7
May 14 16:20:40 squidproxy squid[22071]: Adding nameserver 10.0.1.3 from squid.conf
May 14 16:20:40 squidproxy squid[22071]: helperOpenServers: Starting 1/1 'ext_session_acl' processes
May 14 16:20:40 squidproxy squid[22071]: Logfile: opening log /var/log/squid3/access.log
May 14 16:20:40 squidproxy squid[22071]: WARNING: log parameters now start with a module name. Use 'stdio:/var/log/squid3/access.log'
May 14 16:20:40 squidproxy squid[22071]: Unlinkd pipe opened on FD 14
May 14 16:20:40 squidproxy squid[22071]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
May 14 16:20:40 squidproxy squid[22071]: Logfile: opening log /var/log/squid3/store.log
May 14 16:20:40 squidproxy squid[22071]: WARNING: log parameters now start with a module name. Use 'stdio:/var/log/squid3/store.log'
May 14 16:20:40 squidproxy squid[22071]: Swap maxSize 2097152 + 1048576 KB, estimated 241979 objects
May 14 16:20:40 squidproxy squid[22071]: Target number of buckets: 12098
May 14 16:20:40 squidproxy squid[22071]: Using 16384 Store buckets
May 14 16:20:40 squidproxy squid[22071]: Max Mem size: 1048576 KB
May 14 16:20:40 squidproxy squid[22071]: Max Swap size: 2097152 KB
May 14 16:20:40 squidproxy squid[22071]: Rebuilding storage in /home/user/squidcache/ (dirty log)
May 14 16:20:40 squidproxy squid[22071]: Using Least Load store dir selection
May 14 16:20:40 squidproxy squid[22071]: Current Directory is /root
May 14 16:20:40 squidproxy squid[22071]: Loaded Icons.
May 14 16:20:40 squidproxy squid[22071]: HTCP Disabled.
May 14 16:20:40 squidproxy squid[22071]: Squid plugin modules loaded: 0
May 14 16:20:40 squidproxy squid[22071]: Adaptation support is off.
May 14 16:20:40 squidproxy squid[22071]: Accepting HTTP Socket connections at local=10.0.1.5:3128 remote=[::] FD 18 flags=9
May 14 16:20:40 squidproxy squid[22071]: Accepting NAT intercepted HTTP Socket connections at local=10.0.1.5:8080 remote=[::] FD 19 flags=41
May 14 16:20:40 squidproxy squid[22071]: Done reading /home/user/squidcache/ swaplog (348 entries)
May 14 16:20:40 squidproxy squid[22071]: Finished rebuilding storage from disk.
May 14 16:20:40 squidproxy squid[22071]: 343 Entries scanned
May 14 16:20:40 squidproxy squid[22071]: 0 Invalid entries.
May 14 16:20:40 squidproxy squid[22071]: 0 With invalid flags.
May 14 16:20:40 squidproxy squid[22071]: 338 Objects loaded.
May 14 16:20:40 squidproxy squid[22071]: 0 Objects expired.
May 14 16:20:40 squidproxy squid[22071]: 5 Objects cancelled.
May 14 16:20:40 squidproxy squid[22071]: 0 Duplicate URLs purged.
May 14 16:20:40 squidproxy squid[22071]: 0 Swapfile clashes avoided.
May 14 16:20:40 squidproxy squid[22071]: Took 0.02 seconds (14687.35 objects/sec).
May 14 16:20:40 squidproxy squid[22071]: Beginning Validation Procedure
May 14 16:20:40 squidproxy squid[22071]: Completed Validation Procedure
May 14 16:20:40 squidproxy squid[22071]: Validated 338 Entries
May 14 16:20:40 squidproxy squid[22071]: store_swap_size = 4312.00 KB
May 14 16:20:41 squidproxy squid[22071]: storeLateRelease: released 0 objects
Acabei de receber esses registros:
NF getsockopt(SO_ORIGINAL_DST) failed on local=10.0.1.5:8080 remote=10.0.0.231:49650 FD 31 flags=33: (92) Protocol not available