[tproxy] Problems Caching

Jose Oliveira de Almeida Filho jose.almeida-filho at serpro.gov.br
Fri Aug 14 18:17:36 CEST 2009 

*squid.conf:
*acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
icp_access deny all
htcp_access deny all
http_port 3128
http_port 3129 tproxy
hierarchy_stoplist cgi-bin ?
cache_mem 100 MB
cache_dir ufs /var/spool/squid 100 16 256
access_log /var/log/access.log squid
cache_log /var/log/cache.log
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern (cgi-bin|\?)    0    0%    0
refresh_pattern .        0    20%    4320
icp_port 3130
coredump_dir /var/spool/squid

*iptables configuration:*
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j DROP
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY 
--tproxy-mark 0x1/0x1 --on-port 3129
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

*squid -v:*
Squid Cache: Version 3.1.0.13
configure options:  '--prefix=/usr' '--localstatedir=/var' 
'--libexecdir=/usr/lib/squid' '--srcdir=.' '--datadir=/usr/share/squid' 
'--sysconfdir=/etc/squid' '--with-default-user=proxy' 
'--with-logdir=/var/log' '--with-pidfile=/var/run/squid.pid' 
'--enable-linux-netfilter' --with-squid=/usr/src/squid-3.1.0.13 
--enable-ltdl-convenience

*network cenario:*
pc => proxy/squid/tproxy => router


*José Oliveira de Almeida Filho*
Analista de Redes
SERPRO/SUPRE/REPRO/RERCE
*(** *+55 0XX 81 2126 4016
*** _jose.almeida-filho at serpro.gov.br_


Asif Bakali escreveu:
> Gday
> post your squid conf , iptables configuraion , squid -v compile 
> options and network senario
>
>
>  
> On Fri, Aug 14, 2009 at 12:40 AM, Jose Oliveira de Almeida Filho 
> <jose.almeida-filho at serpro.gov.br 
> <mailto:jose.almeida-filho at serpro.gov.br>> wrote:
>
>     Hi,
>
>     I'm problems for caching squid.
>
>     My situation is:
>
>     The squid isn't writing in access.log, but the traffic is arriving
>     to destination with origin ip.
>     The squid isn't doing caching too.
>
>     The cards are in mode bridge e the permissons are for user proxy
>     normally (+w).
>     When stop squid, the traffic stop too, indicanting that the
>     iptables transfer packets to squid (http_port 3129 tproxy)
>
>     Att.,
>
>     -- 
>     *José Oliveira de Almeida Filho*
>     Analista de Redes
>     SERPRO/SUPRE/REPRO/RERCE
>     *(** *+55 0XX 81 2126 4016
>     *** _jose.almeida-filho at serpro.gov.br
>     <mailto:jose.almeida-filho at serpro.gov.br>_
>
>     "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco."
>
>     "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure."
>
>
>     _______________________________________________
>     tproxy mailing list
>     tproxy at lists.balabit.hu <mailto:tproxy at lists.balabit.hu>
>     https://lists.balabit.hu/mailman/listinfo/tproxy
>
>

"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco."

"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20090814/67a3cc85/attachment.htm

More information about the tproxy mailing list