Problem in working of Squid Proxy server with apache websever

saran1987 · 07-25-2013, 04:49 AM

Hi ,
I m trying to setup a squid proxy server for my client in order to achieve caching functionality. But I could not able to make it working . Please find my topology and configuration details below.

Topology
____________

eth0 eth0 eth1 eth1
10.1.1.1 ---- 10.1.1.2 ------ 20.1.1.2 ---------- 20.1.1.1

10.1.1.1 ---- > Client
10.1.1.2 and 20.1.1.2 -----> PC running Squid proxy server on port 3128
20.1.1.1 ------> Webserver

Initially I have not started squid and tried connecting webserver from my client using
http://20.1.1.1, I could able to connect and see http request and response in my Client. And then I configured squid and redirected my http traffic to squid port.. The client is not getting response from webserver after squid has configured.I shared below my squid and webserver configurations for reference. I need experts help to make this happen.

iptables rule in squid server
______________________________

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

tcpdump in webserver during problem scenario
____________________________________________

14:23:19:034008 IP 20.1.1.2.48334 > 20.1.1.1.domain 12963+ PTR? 1.1.1.20.in.addr.arpa. (39)
14:23:19:034008 IP 20.1.1.1.domain > 20.1.1.2.48334 12963 Refused 0/0/0 (39)
14:23:19:034452 IP 20.1.1.2.48334 > 20.1.1.1.domain 12963+ PTR? 1.1.1.20.in.addr.arpa. (39)
14:23:19:034558 IP 20.1.1.1.domain > 20.1.1.2.48334 12963 Refused 0/0/0 (39)
14:23:19:034842 IP 20.1.1.2.48334 > 20.1.1.1.domain 12963+ PTR? 1.1.1.20.in.addr.arpa. (39)
14:23:19:034921 IP 20.1.1.1.domain > 20.1.1.2.48334 12963 Refused 0/0/0 (39)
14:23:19:035100 IP 20.1.1.2.48334 > 20.1.1.1.domain 12963+ PTR? 1.1.1.20.in.addr.arpa. (39)
14:23:19:035272 IP 20.1.1.1.domain > 20.1.1.2.48334 12963 Refused 0/0/0 (39)
14:23:19:0365 ARP, Request who-has 20.1.1.1 tell 20.1.1.2, length 46
14:23:19:0365 ARP, Reply 20.1.1. is-at 00:13:95:27:38:49 (oui unknown), length 28

What kinda packets is this? What happened to tcp packets coming from my client?

squid.conf
____________

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

http_access allow PURGE localhost
http_access deny PURGE

http_access allow manager localhost
http_access deny manager
http_access allow all

http_access allow localhost

icp_access allow all
http_port 3128
tcp_outgoing_address 20.1.1.2
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log

webserver configuration and resolv.conf
__________________________________________
<VirtualHost *:80>
ServerAdmin root@localhost
ServerName localhost
ServerAlias /acpu2
DocumentRoot /home/sample/acpu2
ErrorLog /home/sample/acpu2/logs/error.log
CustomLog /home/sample/acpu2/logs/access.log combined
</VirtualHost>

resolv.conf
____________
search testserver.com
nameserver 8.8.8.8
nameserver 172.16.0.173

Please help me

SAbhi · 07-25-2013, 11:14 PM

well I am unaware of this error;

Quote:

12963 Refused 0/0/0 (39)

but one thing what I can assume:
you didn't added a rule to ACCEPT the traffic coming from squid(3128) to destination port 80. do you ? unless you open the connections being accepted for pot 3128 the redirect will happen but refused from squid.

if I am correct from above, you can try something like that;

Code:

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 3128 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80-j REDIRECT --to-port 3128 (you already had this)

saran1987 · 08-12-2013, 08:46 AM

Now I could able to see the packets logging in "access.log" of squid with the below configurations. But I have some issues and doubts on the below configurations even its working

Why we need the below ip rule configurations?

IP rules
_________
# IPv4-only
ip -f inet rule add fwmark 1 lookup 100
ip -f inet route add local default dev eth0 table 100

Iptables Rules
______________________
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

My another concern is like even its working the browser is taking long time to respond. I could able to see the packets coming continuously on port 80 and count is getting increased in iptable rules. I really don't know what is happening and why its taking lot of time to respond.
I have pasted below tcpdump and squid access log for your reference. I think the packets are looping. Please provide your expert views on this.

tail -f /var/log/squid3/access.log

1376315965.142 182774 172.30.11.122 TCP_REFRESH_FAIL/200 676 GET http://172.30.11.124/logs/sample.txt - DIRECT/172.30.11.124 text/plain [Host: 172.30.11.124\r\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.12) Gecko/20130109 Firefox/10.0.12\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nIf-Modified-Since: Fri, 26 Jul 2013 12:28:28 GMT\r\nIf-None-Match: "100007-32-4e26947a4e855"\r\n] [HTTP/1.1 200 OK\r\nDate: Fri, 02 Aug 2013 10:57:24 GMT\r\nServer: Apache/2.2.22 (Debian)\r\nLast-Modified: Fri, 26 Jul 2013 12:28:28 GMT\r\nETag: "100007-32-4e26947a4e855"\r\nAccept-Ranges: bytes\r\nVary: Accept-Encoding\r\nContent-Encoding: gzip\r\nContent-Length: 63\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/plain\r\n\r]

root@debian:~# tcpdump -i eth0 "port 80"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:26:22.368227 IP 172.30.11.122.44827 > 172.30.11.124.http: Flags [S], seq 440858109, win 14600, options [mss 1460,s
ackOK,TS val 1116309460 ecr 0,nop,wscale 6], length 0
19:26:22.368272 IP 172.30.11.124.http > 172.30.11.122.44827: Flags [S.], seq 840821239, ack 440858110, win 14480, opt
ions [mss 1460,sackOK,TS val 2951944 ecr 1116309460,nop,wscale 5], length 0
19:26:22.368393 IP 172.30.11.122.44827 > 172.30.11.124.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 11163
09461 ecr 2951944], length 0
19:26:22.368525 IP 172.30.11.122.44827 > 172.30.11.124.http: Flags [P.], seq 1:395, ack 1, win 229, options [nop,nop,
TS val 1116309461 ecr 2951944], length 394
19:26:22.368547 IP 172.30.11.124.http > 172.30.11.122.44827: Flags [.], ack 395, win 486, options [nop,nop,TS val 295
1944 ecr 1116309461], length 0
19:26:22.369129 IP 172.30.11.124.http > 172.30.11.122.56295: Flags [S.], seq 2465572647, ack 1855512778, win 14480, o
ptions [mss 1460,sackOK,TS val 2951944 ecr 2951944,nop,wscale 5], length 0
19:26:22.369250 IP 172.30.11.122.56295 > 172.30.11.124.http: Flags [R], seq 1855512778, win 0, length 0
19:26:23.365767 IP 172.30.11.124.http > 172.30.11.122.56295: Flags [S.], seq 2481145134, ack 1855512778, win 14480, o
ptions [mss 1460,sackOK,TS val 2952194 ecr 2952194,nop,wscale 5], length 0
19:26:23.365883 IP 172.30.11.122.56295 > 172.30.11.124.http: Flags [R], seq 1855512778, win 0, length 0
19:26:25.369769 IP 172.30.11.124.http > 172.30.11.122.56295: Flags [S.], seq 2512457658, ack 1855512778, win 14480, o
ptions [mss 1460,sackOK,TS val 2952695 ecr 2952695,nop,wscale 5], length 0
19:26:25.369887 IP 172.30.11.122.56295 > 172.30.11.124.http: Flags [R], seq 1855512778, win 0, length 0
19:26:29.373765 IP 172.30.11.124.http > 172.30.11.122.56295: Flags [S.], seq 2575020098, ack 1855512778, win 14480, o
ptions [mss 1460,sackOK,TS val 2953696 ecr 2953696,nop,wscale 5], length 0
19:26:29.373888 IP 172.30.11.122.56295 > 172.30.11.124.http: Flags [R], seq 1855512778, win 0, length 0
19:26:37.389769 IP 172.30.11.124.http > 172.30.11.122.56295: Flags [S.], seq 2700270130, ack 1855512778, win 14480, o
ptions [mss 1460,sackOK,TS val 2955700 ecr 2955700,nop,wscale 5], length 0
19:26:37.389889 IP 172.30.11.122.56295 > 172.30.11.124.http: Flags [R], seq 1855512778, win 0, length 0
19:26:53.437773 IP 172.30.11.124.http > 172.30.11.122.56295: Flags [S.], seq 2951020205, ack 1855512778, win 14480, options [mss 1460,sackOK,TS val 2959712 ecr 2959712,nop,wscale 5], length 0
19:26:53.437893 IP 172.30.11.122.56295 > 172.30.11.124.http: Flags [R], seq 1855512778, win 0, length 0
19:27:23.954235 IP 172.30.11.124.http > 172.30.11.122.34517: Flags [S.], seq 4191664604, ack 1175097171, win 14480, options [mss 1460,sackOK,TS val 2967341 ecr 2967341,nop,wscale 5], length 0
19:27:23.954360 IP 172.30.11.122.34517 > 172.30.11.124.http: Flags [R], seq 1175097171, win 0, length 0
19:27:24.953761 IP 172.30.11.124.http > 172.30.11.122.34517: Flags [S.], seq 4207282257, ack 1175097171, win 14480, options [mss 1460,sackOK,TS val 2967591 ecr 2967591,nop,wscale 5], length 0
19:27:24.953880 IP 172.30.11.122.34517 > 172.30.11.124.http: Flags [R], seq 1175097171, win 0, length 0