Latest tproxy patch for kernel, iptables and squid
Hi list. I'm installing a box with linux with squid and I'm a little bit confuse. First of all, sorry my bad english... I'm brazilian. =) I need to now where I can found the latest version for: - kernel 2.6.27 (or can I use kernel 2.8.x ?); - iptables 1.4.2; - squid. I have some questions: - Which kernel is better to use in a production box? 2.6.27 or 2.6.28 ? - Which squid is better to use in a production box? 2.7 or 3.0 ? - Where I can found a documentation to install and configure tproxy patches ? Thanks in advance! Regards, Eduardo Schoedler.
Hi list. I'm installing a box with linux with squid and I'm a little bit confuse. First of all, sorry my bad english... I'm brazilian. =) I need to now where I can found the latest version for: - kernel 2.6.27 (or can I use kernel 2.8.x ?); - iptables 1.4.2; - squid. I have some questions: - Which kernel is better to use in a production box? 2.6.27 or 2.6.28 ? - Which squid is better to use in a production box? 2.7 or 3.0 ? - Where I can found a documentation to install and configure tproxy patches? Thanks in advance! Regards, Eduardo Schoedler.
On Thu, 2008-11-27 at 14:24 -0300, Eduardo Schoedler wrote:
Hi list.
I'm installing a box with linux with squid and I'm a little bit confuse. First of all, sorry my bad english... I'm brazilian. =)
You don't need to excuse yourself, I'm Hungarian, so I'm not a native English speaker either. My Portugese is way worse than my English (read: I couldn't speak a word).
I need to now where I can found the latest version for: - kernel 2.6.27 (or can I use kernel 2.8.x ?); - iptables 1.4.2; - squid.
The first submission of tproxy is going into 2.6.28, which is at rc7 right now, so is not released yet. There were some fixes, related to UDP proxying, but I guess you don't need those if you only want to use squid. Those fixes are queued for 2.6.29. The tproxy bits were integrated in iptables after 1.4.2, so you'll need iptables 1.4.3-rc1. Last I've heard, tproxy support was added to Squid3, checking out the changelog shows that squid 3.1.0.1 already has support for it (http://squid.cvs.sourceforge.net/viewvc/squid/squid3/ChangeLog?revision=1.16...)
I have some questions:
- Which kernel is better to use in a production box? 2.6.27 or 2.6.28 ?
Well, 2.6.28 is not yet released, although it is at rc7, so it should be released in a week or two. Distributions probably will not pick that till next year, so you need to compile your kernel manually. If you want to stick to the earlier kernel, you'd have to backport tproxy yourself, as the last out-of-tree release of tproxy was against 2.6.26. (http://people.netfilter.org/hidden)
- Which squid is better to use in a production box? 2.7 or 3.0 ?
I don't know, since I don't use squid.
- Where I can found a documentation to install and configure tproxy patches ?
There's a documentation file on tproxy in the Documentation subdirectory of the kernel. -- Bazsi
Hello Balazs! I've compiled kernel-2.6.26-7 and applied the patch in the site. # dmesg | grep TPROXY NF_TPROXY: Transparent proxy support initialized, version 4.1.0 NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd. For iptables, I've used the 1.4.0 sources... it's working ok, I guess. =) But the Squid is a little bit strange. I've compiled 3.HEAD (20081121), with that have support for tproxy. # ./configure --prefix=/opt/squid \ --sysconfdir=/etc/squid \ --with-default-user=squid \ --enable-icmp \ --disable-auth \ --enable-removal-policies="lru,heap" \ --disable-digest-auth-helpers \ --disable-basic-auth-helpers \ --disable-external-acl-helpers \ --disable-ntlm-auth-helpers \ --disable-negotiate-auth-helpers \ --enable-useragent-log \ --enable-cache-digests \ --enable-delay-pools \ --enable-referer-log \ --enable-arp-acl \ --with-large-files \ --with-filedescriptors=16384 \ --enable-storeio=ufs,diskd,aufs \ --enable-linux-netfilter My squid.conf (like the tproxy readme): http_port 50080 tproxy transparent The strange thing is when I'm trying to create swap directories. See: # ./squid -z 2008/12/03 23:07:10| http(s)_port: TPROXY option requires its own interception port. It cannot be shared. FATAL: Bungled squid.conf line 992: http_port 50080 tproxy transparent Squid Cache (Version 3.HEAD-20081121): Terminated abnormally. CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 I don't understand why of this problem. No one process is using that port. What can I do ? Thanks! Regards, Eduardo. -------------------------------------------------- From: "Balazs Scheidler" <bazsi@balabit.hu> Sent: Wednesday, December 03, 2008 2:49 PM To: "Eduardo Schoedler" <eschoedler@viavale.com.br> Cc: <tproxy@lists.balabit.hu> Subject: Re: [tproxy] Latest tproxy patch for kernel, iptables and squid
On Thu, 2008-11-27 at 14:24 -0300, Eduardo Schoedler wrote:
Hi list.
I'm installing a box with linux with squid and I'm a little bit confuse. First of all, sorry my bad english... I'm brazilian. =)
You don't need to excuse yourself, I'm Hungarian, so I'm not a native English speaker either. My Portugese is way worse than my English (read: I couldn't speak a word).
I need to now where I can found the latest version for: - kernel 2.6.27 (or can I use kernel 2.8.x ?); - iptables 1.4.2; - squid.
The first submission of tproxy is going into 2.6.28, which is at rc7 right now, so is not released yet.
There were some fixes, related to UDP proxying, but I guess you don't need those if you only want to use squid. Those fixes are queued for 2.6.29.
The tproxy bits were integrated in iptables after 1.4.2, so you'll need iptables 1.4.3-rc1.
Last I've heard, tproxy support was added to Squid3, checking out the changelog shows that squid 3.1.0.1 already has support for it (http://squid.cvs.sourceforge.net/viewvc/squid/squid3/ChangeLog?revision=1.16...)
I have some questions:
- Which kernel is better to use in a production box? 2.6.27 or 2.6.28 ?
Well, 2.6.28 is not yet released, although it is at rc7, so it should be released in a week or two. Distributions probably will not pick that till next year, so you need to compile your kernel manually.
If you want to stick to the earlier kernel, you'd have to backport tproxy yourself, as the last out-of-tree release of tproxy was against 2.6.26. (http://people.netfilter.org/hidden)
- Which squid is better to use in a production box? 2.7 or 3.0 ?
I don't know, since I don't use squid.
- Where I can found a documentation to install and configure tproxy patches ?
There's a documentation file on tproxy in the Documentation subdirectory of the kernel.
-- Bazsi
On Wed, 2008-12-03 at 23:16 -0300, Eduardo Schoedler wrote:
Hello Balazs!
I've compiled kernel-2.6.26-7 and applied the patch in the site.
# dmesg | grep TPROXY NF_TPROXY: Transparent proxy support initialized, version 4.1.0 NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
For iptables, I've used the 1.4.0 sources... it's working ok, I guess. =)
But the Squid is a little bit strange. I've compiled 3.HEAD (20081121), with that have support for tproxy.
# ./configure --prefix=/opt/squid \ --sysconfdir=/etc/squid \ --with-default-user=squid \ --enable-icmp \ --disable-auth \ --enable-removal-policies="lru,heap" \ --disable-digest-auth-helpers \ --disable-basic-auth-helpers \ --disable-external-acl-helpers \ --disable-ntlm-auth-helpers \ --disable-negotiate-auth-helpers \ --enable-useragent-log \ --enable-cache-digests \ --enable-delay-pools \ --enable-referer-log \ --enable-arp-acl \ --with-large-files \ --with-filedescriptors=16384 \ --enable-storeio=ufs,diskd,aufs \ --enable-linux-netfilter
My squid.conf (like the tproxy readme): http_port 50080 tproxy transparent
The strange thing is when I'm trying to create swap directories. See:
# ./squid -z 2008/12/03 23:07:10| http(s)_port: TPROXY option requires its own interception port. It cannot be shared. FATAL: Bungled squid.conf line 992: http_port 50080 tproxy transparent Squid Cache (Version 3.HEAD-20081121): Terminated abnormally. CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0
I don't understand why of this problem. No one process is using that port.
What can I do ?
Thanks!
Well since I haven't used squid myself, you should ask this question on the squid mailing list. The only relevant info I've found is: http://wiki.squid-cache.org/Features/Tproxy4 This says that you need to use: http_port 3129 tproxy But judging the error message above, it says that you are using 50080 port for other purposes in the same squid.conf. Try to dedicate a port for tproxy. -- Bazsi
Hi, On cs, dec 04, 2008 at 12:02:44 +0100, Balazs Scheidler wrote:
The strange thing is when I'm trying to create swap directories. See:
# ./squid -z 2008/12/03 23:07:10| http(s)_port: TPROXY option requires its own interception port. It cannot be shared. FATAL: Bungled squid.conf line 992: http_port 50080 tproxy transparent Squid Cache (Version 3.HEAD-20081121): Terminated abnormally. CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0
I don't understand why of this problem. No one process is using that port.
What can I do ?
Thanks!
Well since I haven't used squid myself, you should ask this question on the squid mailing list.
The only relevant info I've found is:
http://wiki.squid-cache.org/Features/Tproxy4
This says that you need to use: http_port 3129 tproxy
But judging the error message above, it says that you are using 50080 port for other purposes in the same squid.conf.
Yes, the problem is that you are not allowed mark a HTTP listener as 'tproxy' and as 'transparent' at the same time. This has changed recently in squid, the information on the wiki page Balazs has mentioned should be the most up-to-date. -- KOVACS Krisztian
participants (3)
-
Balazs Scheidler
-
Eduardo Schoedler
-
KOVACS Krisztian