[tproxy] squid+tproxy+bridge for transparent proxying

James MacLean macleajb@ednet.ns.ca
Mon, 17 Jan 2005 08:41:11 -0400


This is a cryptographically signed message in MIME format.

--------------ms080805040205050700080404
Content-Type: multipart/mixed;
 boundary="------------020306050106090408010308"

This is a multi-part message in MIME format.
--------------020306050106090408010308
Content-Type: text/plain; charset=ISO-8859-2; format=flowed
Content-Transfer-Encoding: 8bit

KOVACS Krisztian wrote:

>  Hi,
>
>2005-01-14, p keltezéssel 12.13-kor Eskay Lee ezt írta:
>  
>
>>I setup linux+bridge+squid+tproxy to see the client IP address on Web
>>server.
>>As the manuals, I configured all the patches and parameters.
>>In squid.conf, I did "linux_tproxy on" but  I don't know how to set
>>"tcp_outgoing _address".
>>My squid box is a just bridge not Gateway.
>>Please let me know How to set "tcp_outgoing_address" on bridge mode.
>>Also I put the one IP address, i.e, 10..1.1.100 as tcp_outgoing_address, web
>>server is 10.1.1.120.
>>
>>Then If I browse the URL on Web server, I got the error like followings:
>>   ERROR
>>   The requested URL could not be retrieved
>>        . Socket Failure
>>         (99) Cannot assign requested address
>>
>>How can I solve this problem?
>>    
>>
>
>  Did you follow the steps outlined in
>http://www.sanog.org/resources/sanog4-devdas-transproxy.pdf ? BTW, I've
>never seen this document before, but looks interesting for sure.
>
>  Please note that the Squid patch for tproxy support mentioned on the
>page above is completely independent from BalaBit and the authors of the
>tproxy patch, and was kindly contributed by Gianni Tedesco and James
>MacLean. I'm not really sure, but I'd say that in your case bind() fails
>because you did not have any interfaces configured with 10.1.1.100. Try
>creating a dummy interface (dummy0), and adding the address 10.1.1.100
>to that interface.
>
>  
>
Not sure I can add much as we are not currently using this squid setup, 
but the main things I see in the squid.conf that was being used are :
linux_tproxy on
tcp_outgoing_address <real IP>

Looks like I tried some of the local, private IP's on the box, but 
settled with a routeable one. Looking in the squid logs really helped me 
figure out what was happening.

>>Also Can I use some gzip compression mode on Squid ?
>>    
>>
>
>  I must admit that I don't really know Squid, so probably I'm not the
>right person to ask. Have you already tried the Squid documentation, or
>the Squid users mailing list?
>
>  
>
And this I do not have any experience with, sorry :(.

JES

--------------020306050106090408010308
Content-Type: text/x-vcard; charset=utf-8;
 name="macleajb.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="macleajb.vcf"

begin:vcard
fn:James B MacLean
n:MacLean;James B
org:Education;ITS Technical Services
adr:;;;Halifax;NS;;Canada
email;internet:macleajb@ednet.ns.ca
url:http://www.ednet.ns.ca/~macleajb
version:2.1
end:vcard


--------------020306050106090408010308--

--------------ms080805040205050700080404
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKtDCC
BVYwggQ+oAMCAQICAWAwDQYJKoZIhvcNAQEEBQAwgZ4xITAfBgkqhkiG9w0BCQEWEmNhY2Vy
dEBlZG5ldC5ucy5jYTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MQwwCgYDVQQL
EwNJVFMxLDAqBgNVBAoTI05vdmEgU2NvdGlhIERlcGFydG1lbnQgb2YgRWR1Y2F0aW9uMQsw
CQYDVQQGEwJDQTEQMA4GA1UEBxMHSGFsaWZheDAeFw0wNDA1MTcxNzQxNThaFw0wNTA1MTcx
NzQxNThaMIGJMQswCQYDVQQGEwJDQTEsMCoGA1UEChMjTm92YSBTY290aWEgRGVwYXJ0bWVu
dCBvZiBFZHVjYXRpb24xDDAKBgNVBAsTA0lUUzEZMBcGA1UEAxMQSmFtZXMgQi4gTWFjTGVh
bjEjMCEGCSqGSIb3DQEJARYUbWFjbGVhamJAZWRuZXQubnMuY2EwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAJ48YPIFGWG5WDLVvpCCchFe4/hnwMNCm413AKLkzSj0MntJzP6qFkt+
0ZwxKlbv+mKFp87dEb05PJcs5wMrlGQ8cbRjFzH2Sk4XoowpjRkvVlb1eCY28feTLstJKJ7m
EBXgReMhMH2SzQENHi+8zSTBfXOKH0tN7lFRJVfz0Jx9AgMBAAGjggI0MIICMDAJBgNVHRME
AjAAMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBeAwQwYJYIZIAYb4QgENBDYWNE5v
dmEgU2NvdGlhIERlcGFydG1lbnQgb2YgRWR1Y2F0aW9uIFVzZXIgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFKnIpPsWtaeSZUgTtQhdGclcQK2eMIHLBgNVHSMEgcMwgcCAFFJrFDIZpPal+WoN
hK6MxZUyDajcoYGkpIGhMIGeMSEwHwYJKoZIhvcNAQkBFhJjYWNlcnRAZWRuZXQubnMuY2Ex
HjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEMMAoGA1UECxMDSVRTMSwwKgYDVQQK
EyNOb3ZhIFNjb3RpYSBEZXBhcnRtZW50IG9mIEVkdWNhdGlvbjELMAkGA1UEBhMCQ0ExEDAO
BgNVBAcTB0hhbGlmYXiCAQAwHwYDVR0RBBgwFoEUbWFjbGVhamJAZWRuZXQubnMuY2EwCQYD
VR0SBAIwADA4BglghkgBhvhCAQQEKxYpaHR0cHM6Ly9zZWN1cmUuZWRuZXQubnMuY2EvY2dp
LWJpbi9nZXRjcmwwOAYJYIZIAYb4QgEDBCsWKWh0dHBzOi8vc2VjdXJlLmVkbmV0Lm5zLmNh
L2NnaS1iaW4vZ2V0Y3JsMDEGCWCGSAGG+EIBBwQkFiJodHRwczovL3NlY3VyZS5lZG5ldC5u
cy5jYS9yZW5ld2FsMA0GCSqGSIb3DQEBBAUAA4IBAQCUb2tuMuhbC0T78oZLpjKd3OcaePSN
j1Z5L1qdSOKflW4IomUREG483FxXP8F1ZofMiOa4XkfKN4PkdNO1sPnlZtKxwM1EdiRulpkG
o2Da6EwVflgiP4hGDYdlCki+nKvs+8qY/L7xHUdxts2Kkmg10wa4IeZXetqp60h5exjkKkL2
Ag5/jFf8A13NheYD926vvY1wkTaLBu/3+1F7pAqNBjIDVEPCQpVUMx6cwwGq6rPo3hYSx/Oz
mf+s8t9+zRoYG2blRPbAW6OAPRBAaldBTzPGWUI0frQrp55K/DvQc9hEScMF0yEIrZ8cov7q
pfW57MJSQo0jeemB+Nb3HRmmMIIFVjCCBD6gAwIBAgIBYDANBgkqhkiG9w0BAQQFADCBnjEh
MB8GCSqGSIb3DQEJARYSY2FjZXJ0QGVkbmV0Lm5zLmNhMR4wHAYDVQQDExVDZXJ0aWZpY2F0
ZSBBdXRob3JpdHkxDDAKBgNVBAsTA0lUUzEsMCoGA1UEChMjTm92YSBTY290aWEgRGVwYXJ0
bWVudCBvZiBFZHVjYXRpb24xCzAJBgNVBAYTAkNBMRAwDgYDVQQHEwdIYWxpZmF4MB4XDTA0
MDUxNzE3NDE1OFoXDTA1MDUxNzE3NDE1OFowgYkxCzAJBgNVBAYTAkNBMSwwKgYDVQQKEyNO
b3ZhIFNjb3RpYSBEZXBhcnRtZW50IG9mIEVkdWNhdGlvbjEMMAoGA1UECxMDSVRTMRkwFwYD
VQQDExBKYW1lcyBCLiBNYWNMZWFuMSMwIQYJKoZIhvcNAQkBFhRtYWNsZWFqYkBlZG5ldC5u
cy5jYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnjxg8gUZYblYMtW+kIJyEV7j+GfA
w0KbjXcAouTNKPQye0nM/qoWS37RnDEqVu/6YoWnzt0RvTk8lyznAyuUZDxxtGMXMfZKThei
jCmNGS9WVvV4Jjbx95Muy0konuYQFeBF4yEwfZLNAQ0eL7zNJMF9c4ofS03uUVElV/PQnH0C
AwEAAaOCAjQwggIwMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdDwQEAwIF
4DBDBglghkgBhvhCAQ0ENhY0Tm92YSBTY290aWEgRGVwYXJ0bWVudCBvZiBFZHVjYXRpb24g
VXNlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUqcik+xa1p5JlSBO1CF0ZyVxArZ4wgcsGA1Ud
IwSBwzCBwIAUUmsUMhmk9qX5ag2ErozFlTINqNyhgaSkgaEwgZ4xITAfBgkqhkiG9w0BCQEW
EmNhY2VydEBlZG5ldC5ucy5jYTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MQww
CgYDVQQLEwNJVFMxLDAqBgNVBAoTI05vdmEgU2NvdGlhIERlcGFydG1lbnQgb2YgRWR1Y2F0
aW9uMQswCQYDVQQGEwJDQTEQMA4GA1UEBxMHSGFsaWZheIIBADAfBgNVHREEGDAWgRRtYWNs
ZWFqYkBlZG5ldC5ucy5jYTAJBgNVHRIEAjAAMDgGCWCGSAGG+EIBBAQrFilodHRwczovL3Nl
Y3VyZS5lZG5ldC5ucy5jYS9jZ2ktYmluL2dldGNybDA4BglghkgBhvhCAQMEKxYpaHR0cHM6
Ly9zZWN1cmUuZWRuZXQubnMuY2EvY2dpLWJpbi9nZXRjcmwwMQYJYIZIAYb4QgEHBCQWImh0
dHBzOi8vc2VjdXJlLmVkbmV0Lm5zLmNhL3JlbmV3YWwwDQYJKoZIhvcNAQEEBQADggEBAJRv
a24y6FsLRPvyhkumMp3c5xp49I2PVnkvWp1I4p+VbgiiZREQbjzcXFc/wXVmh8yI5rheR8o3
g+R007Ww+eVm0rHAzUR2JG6WmQajYNroTBV+WCI/iEYNh2UKSL6cq+z7ypj8vvEdR3G2zYqS
aDXTBrgh5ld62qnrSHl7GOQqQvYCDn+MV/wDXc2F5gP3bq+9jXCRNosG7/f7UXukCo0GMgNU
Q8JClVQzHpzDAarqs+jeFhLH87OZ/6zy337NGhgbZuVE9sBbo4A9EEBqV0FPM8ZZQjR+tCun
nkr8O9Bz2ERJwwXTIQitnxyi/uql9bnswlJCjSN56YH41vcdGaYxggNyMIIDbgIBATCBpDCB
njEhMB8GCSqGSIb3DQEJARYSY2FjZXJ0QGVkbmV0Lm5zLmNhMR4wHAYDVQQDExVDZXJ0aWZp
Y2F0ZSBBdXRob3JpdHkxDDAKBgNVBAsTA0lUUzEsMCoGA1UEChMjTm92YSBTY290aWEgRGVw
YXJ0bWVudCBvZiBFZHVjYXRpb24xCzAJBgNVBAYTAkNBMRAwDgYDVQQHEwdIYWxpZmF4AgFg
MAkGBSsOAwIaBQCgggIjMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF
MQ8XDTA1MDExNzEyNDExMVowIwYJKoZIhvcNAQkEMRYEFPw/pSDihiXw5B6X+c9ZNVssZBoN
MFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3
DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG1BgkrBgEEAYI3EAQxgacwgaQwgZ4x
ITAfBgkqhkiG9w0BCQEWEmNhY2VydEBlZG5ldC5ucy5jYTEeMBwGA1UEAxMVQ2VydGlmaWNh
dGUgQXV0aG9yaXR5MQwwCgYDVQQLEwNJVFMxLDAqBgNVBAoTI05vdmEgU2NvdGlhIERlcGFy
dG1lbnQgb2YgRWR1Y2F0aW9uMQswCQYDVQQGEwJDQTEQMA4GA1UEBxMHSGFsaWZheAIBYDCB
twYLKoZIhvcNAQkQAgsxgaeggaQwgZ4xITAfBgkqhkiG9w0BCQEWEmNhY2VydEBlZG5ldC5u
cy5jYTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MQwwCgYDVQQLEwNJVFMxLDAq
BgNVBAoTI05vdmEgU2NvdGlhIERlcGFydG1lbnQgb2YgRWR1Y2F0aW9uMQswCQYDVQQGEwJD
QTEQMA4GA1UEBxMHSGFsaWZheAIBYDANBgkqhkiG9w0BAQEFAASBgBWcB9HpFjp4i+4WUDog
wB9U+guCWlxIdMafs0pAw+SLgYFaV9tgVr96thXwzIU8jCRGG7yd6kX/e+NA6jJA6Ns9pKti
1dquIDxkt3XX8sSOlTEKD0rd0ayWA91Yk6sOOehxzp1XhtmSbfLTiB6PdDrWS85bT6FomRss
6qG+znVbAAAAAAAA
--------------ms080805040205050700080404--