[tproxy] Debian K2.6 + wccp + tproxy squid 2.6 stable15

[Nicolas Royo]

Hi fellows, 

hope you can help me out with a problem im still having.
The problem is quite simple and complicated

we are on a small isp, trying to implement squid without "the user noticing it"
we´ve come very far reading your lists and googling squids tproxy.

on a linux box, only one eth0, with a gre0, with a cisco 7200.
kernel and iptables patched with lasts cttproxys :D

iptables -L -t tproxy
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www TPROXY redirect
0.0.0.0:3128

> #####squid Conf.##### 
> http_port 3128 tproxy transparent 
> hierarchy_stoplist cgi-bin ? 
> acl QUERY urlpath_regex cgi-bin \? 
> cache deny QUERY 
> acl apache rep_header Server ^Apache 
> broken_vary_encoding allow apache 
> access_log /usr/local/squid/var/logs/access.log 
> squid 
> refresh_pattern ^ftp: 1440 20% 10080 
> refresh_pattern ^gopher: 1440 0% 1440 
> refresh_pattern . 0 20% 4320 
> acl all src 0.0.0.0/0.0.0.0 
> acl manager proto cache_object 
> acl localhost src 127.0.0.1/255.255.255.255 
> acl Safe_ports port 80 # http 
> acl Safe_ports port 21 # ftp 
> acl Safe_ports port 443 # https 
> acl Safe_ports port 70 # gopher 
> acl Safe_ports port 210 # wais 
> acl Safe_ports port 1025-65535 # unregistered ports 
> acl Safe_ports port 280 # http-mgmt 
> acl Safe_ports port 488 # gss-http 
> acl Safe_ports port 591 # filemaker 
> acl Safe_ports port 777 # multiling http 
> acl to_localhost dst 127.0.0.0/8 
> acl SSL_ports port 443 
> acl Safe_ports port 80 # http 
> acl Safe_ports port 21 # ftp 
> acl Safe_ports port 443 # https 
> acl Safe_ports port 70 # gopher 
> acl Safe_ports port 210 # wais 
> acl Safe_ports port 1025-65535 # unregistered ports 
> acl Safe_ports port 280 # http-mgmt 
> acl Safe_ports port 488 # gss-http 
> acl Safe_ports port 591 # filemaker 
> acl Safe_ports port 777 # multiling http 
> acl CONNECT method CONNECT 
> http_access allow manager localhost 
> http_access deny manager 
> http_access deny !Safe_ports 
> http_access deny CONNECT !SSL_ports 
> acl our_networks src 0.0.0.0/0.0.0.0 
> http_access allow our_networks 
> http_access deny all 
> http_reply_access allow all 
> icp_access allow all 
> visible_hostname debian-sq 
> wccp2_router XXX.XXX.XXX.XXX 
> wccp_version 4 
> wccp2_forwarding_method 1 
> wccp2_return_method 1 
> wccp2_assignment_method 1 
> coredump_dir /usr/local/squid/var/cache 
> via off 
> forwarded_for off 

with this last 2 options, we have played a lot.
if set it on, client ip is passing through the squid, url`s like www.whatsmyipadress.com
are still detecting a proxy behind it! :(

if set off, squid ip is reaching final url, but squid is not being detected.

as far as i can tell, is that if i set the parameter:
tcp_outgoing_adress x.x.x.x
and adding another iptables rule and NIC to the linux box, the requesting page on the
client browser "dies" (keeps waiting till it times out(
so no tcp_outgoing_adress is have to be set up in order to surf withouth problems


BUT

if not set up, on syslog and squid.out i can see:
squid-RC9 squid[26519]: tproxy ip=[x.x.x.x--->client address here],0xa4e851c8,port=0
ERROR ASSIGN


what else should i have to check?

there is a hardware solution that has been offered to us.....bluecoat SG.........that is
covering all these needs by our boss.

but it is a so expensive product in a country like ours (argentina) that we cant afford
it...........we bet on tproxy´s magic........we still believe

Thanx in advance

Nicolas









       
____________________________________________________________________________________
Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games.
http://sims.yahoo.com/