Hallo,
ich habe die folgende Netzwerk konfiguration am laufen:
Dieses Makro ist nicht verfügbar
Squid läuft in einem Docker-Image.
Squid hat folgende Config:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 | root@docker-image:/# squid3 -k parse 2014/10/21 12:35:49| Startup: Initializing Authentication Schemes ... 2014/10/21 12:35:49| Startup: Initialized Authentication Scheme 'basic' 2014/10/21 12:35:49| Startup: Initialized Authentication Scheme 'digest' 2014/10/21 12:35:49| Startup: Initialized Authentication Scheme 'negotiate' 2014/10/21 12:35:49| Startup: Initialized Authentication Scheme 'ntlm' 2014/10/21 12:35:49| Startup: Initialized Authentication. 2014/10/21 12:35:49| Processing Configuration File: /etc/squid3/squid.conf (depth 0) 2014/10/21 12:35:49| Processing: acl QUERY urlpath_regex -i cgi-bin \? \.php$ \.asp$ \.shtml$ \.cfm$ \.cfml$ \.phtml$ \.php3$ localhost 2014/10/21 12:35:49| Processing: acl all src 2014/10/21 12:35:49| Processing: acl localnet src 10.0.0.0/8 2014/10/21 12:35:49| Processing: acl localnet src 172.0.0.0/8 2014/10/21 12:35:49| Processing: acl localnet src 192.168.0.0/16 # Your network here 2014/10/21 12:35:49| Processing: acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 81 3128 1025-65535 2014/10/21 12:35:49| Processing: acl sslports port 443 563 81 2087 10000 3128 2014/10/21 12:35:49| Processing: acl purge method PURGE 2014/10/21 12:35:49| Processing: acl connect method CONNECT 2014/10/21 12:35:49| Processing: acl ym dstdomain .messenger.yahoo.com .psq.yahoo.com 2014/10/21 12:35:49| Processing: acl ym dstdomain .us.il.yimg.com .msg.yahoo.com .pager.yahoo.com 2014/10/21 12:35:49| Processing: acl ym dstdomain .rareedge.com .ytunnelpro.com .chat.yahoo.com 2014/10/21 12:35:49| Processing: acl ym dstdomain .voice.yahoo.com 2014/10/21 12:35:49| Processing: acl ymregex url_regex yupdater.yim ymsgr myspaceim 2014/10/21 12:35:49| Processing: http_access deny ym 2014/10/21 12:35:49| Processing: http_access deny ymregex 2014/10/21 12:35:49| Processing: http_access allow manager localhost 2014/10/21 12:35:49| Processing: http_access deny manager 2014/10/21 12:35:49| Processing: http_access allow purge localhost 2014/10/21 12:35:49| Processing: http_access deny purge 2014/10/21 12:35:49| Processing: http_access deny !safeports 2014/10/21 12:35:49| Processing: http_access deny CONNECT !sslports 2014/10/21 12:35:49| Processing: http_access allow localhost 2014/10/21 12:35:49| Processing: http_access allow localnet 2014/10/21 12:35:49| Processing: http_access deny all 2014/10/21 12:35:49| Processing: http_port 3128 intercept 2014/10/21 12:35:49| Starting Authentication on port [::]:3128 2014/10/21 12:35:49| Disabling Authentication on port [::]:3128 (interception enabled) 2014/10/21 12:35:49| Disabling IPv6 on port [::]:3128 (interception enabled) 2014/10/21 12:35:49| Processing: http_port 3129 2014/10/21 12:35:49| Processing: cache_mem 8 MB 2014/10/21 12:35:49| Processing: maximum_object_size_in_memory 32 KB 2014/10/21 12:35:49| Processing: memory_replacement_policy heap GDSF 2014/10/21 12:35:49| Processing: cache_replacement_policy heap LFUDA 2014/10/21 12:35:49| Processing: cache_dir aufs /var/proxy_cache/ 10000 14 256 2014/10/21 12:35:49| Processing: maximum_object_size 128000 KB 2014/10/21 12:35:49| Processing: cache_swap_low 95 2014/10/21 12:35:49| Processing: cache_swap_high 99 2014/10/21 12:35:49| Processing: access_log /var/log/squid3/access.log 2014/10/21 12:35:49| Processing: cache_log /var/log/squid3/cache.log 2014/10/21 12:35:49| Processing: cache_store_log none 2014/10/21 12:35:49| Processing: logfile_rotate 5 2014/10/21 12:35:49| Processing: log_icp_queries off 2014/10/21 12:35:49| Processing: reply_header_max_size 200 KB 2014/10/21 12:35:49| Processing: cache deny QUERY 2014/10/21 12:35:49| Processing: refresh_pattern ^ftp: 1440 20% 10080 2014/10/21 12:35:49| Processing: refresh_pattern ^gopher: 1440 0% 1440 2014/10/21 12:35:49| Processing: refresh_pattern -i \.(gif|png|jp?g|ico|bmp|tiff?)$ 10080 95% 43200 2014/10/21 12:35:49| Processing: refresh_pattern -i \.(rpm|cab|deb|exe|msi|msu|zip|tar|xz|bz|bz2|lzma|gz|tgz|rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)$ 10080 90% 43200 2014/10/21 12:35:49| Processing: refresh_pattern -i \.(avi|iso|wav|mid|mp?|mpeg|mov|3gp|wm?|swf|flv|x-flv|axd)$ 43200 95% 432000 2014/10/21 12:35:49| Processing: refresh_pattern -i \.(html|htm|css|js)$ 1440 75% 40320 2014/10/21 12:35:49| Processing: refresh_pattern -i \.index.(html|htm)$ 0 75% 10080 2014/10/21 12:35:49| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 2014/10/21 12:35:49| Processing: refresh_pattern . 1440 90% 10080 2014/10/21 12:35:49| Processing: quick_abort_min 0 KB 2014/10/21 12:35:49| Processing: quick_abort_max 0 KB 2014/10/21 12:35:49| Processing: quick_abort_pct 100 2014/10/21 12:35:49| Processing: store_avg_object_size 13 KB 2014/10/21 12:35:49| Processing: vary_ignore_expire on 2014/10/21 12:35:49| Processing: forward_timeout 240 second 2014/10/21 12:35:49| Processing: connect_timeout 30 second 2014/10/21 12:35:49| Processing: peer_connect_timeout 5 second 2014/10/21 12:35:49| Processing: read_timeout 600 second 2014/10/21 12:35:49| Processing: request_timeout 60 second 2014/10/21 12:35:49| Processing: shutdown_lifetime 10 second 2014/10/21 12:35:49| Processing: cache_mgr ninja 2014/10/21 12:35:49| Processing: cache_effective_user proxy 2014/10/21 12:35:49| Processing: cache_effective_group proxy 2014/10/21 12:35:49| Processing: httpd_suppress_version_string on 2014/10/21 12:35:49| Processing: visible_hostname ninja 2014/10/21 12:35:49| Processing: ftp_passive on 2014/10/21 12:35:49| Processing: ftp_sanitycheck on 2014/10/21 12:35:49| Processing: dns_timeout 10 seconds 2014/10/21 12:35:49| Processing: dns_nameservers 192.168.1.1 8.8.8.8 8.8.4.4 # DNS Server 2014/10/21 12:35:49| Processing: memory_pools off 2014/10/21 12:35:49| Processing: client_db off 2014/10/21 12:35:49| Processing: reload_into_ims on 2014/10/21 12:35:49| Processing: coredump_dir /var/log/squid3/ 2014/10/21 12:35:49| Processing: pipeline_prefetch on 2014/10/21 12:35:49| Processing: offline_mode off |
Damit die anfragen zum Proxy kommen habe ich folgende IPtabeles Befehle verwendet:
1 2 3 | root@server:~# ip route change to default dev eth0 via 192.168.178.1 root@server:~# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 172.17.0.2:3128 root@server:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
Squid gibt mir folgendes aus, wenn ich am Client eine Webseite aufrufe:
access.log:
1413894208.343 0 172.17.0.2 TCP_MISS/403 3964 GET http://www.heise.de/ - HIER_NONE/- text/html 1413894208.344 5036 10.229.80.185 TCP_MISS/403 4047 GET http://www.heise.de/ - HIER_DIRECT/172.17.0.2 text/html
cache.log:
2014/10/21 12:23:28| Error sending to ICMPv6 packet to [2a02:2e0:3fe:1001:7777:772e:2:85]. ERR: (101) Network is unreachable 2014/10/21 12:23:28 kid1| WARNING: Forwarding loop detected for: GET / HTTP/1.1 Host: www.heise.de User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: wt3_eid=%3B288689636920174%7C2141379814100900221; wt3_sid=%3B288689636920174 Via: 1.1 ninja (squid) X-Forwarded-For: 10.229.80.185 Cache-Control: max-age=604800 Connection: keep-alive
Ich denke, dass mein Problem mit IPtables zusammen hängt. Das Problem ist, wenn das Paket Squid verlässt und der Server es statt über eth0 nach "draußen" zu schicken wieder zu Squid schick. Deswegen erstmal die Frage: geht das überhaupt so wie ich mir das vorstelle? Und wenn ja, wie? Wenn nicht werde ich es wohl auf die alte und bewährte Methode ohne Docker zum laufen bringen.
Gruß Darth Erfinder