I am trying to duplicate the configuration described in this blog post.
http://www.everydayinternetstuff.com/2011/03/squid-random-outgoing-ipinterface-selection/
This technique as I understand it is supposed to trick squid into thinking it's both a parent and a cache_peer thus allowing you to roll exit IPs from a single instance.
Using this configuration I have been able to exit the IPs that I enter on, but I am unable to rotate exit IPs when entering .
The error page being reported is an Access Denied error page from squid cache.
I'd appreciate any assistance or suggestions. Also if anyone has a working configuration done a different way, I'd appreciate hearing those suggestions as well.
http_port <entry ip>:3128
http_port <exit1>:3128
http_port <exit2>:3128
http_port <exit3>:3128
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/squid_passwd
auth_param basic children 5
auth_param basic realm ProxyBox
auth_param basic credentialsttl 2 hours
acl ncsaauth proxy_auth REQUIRED
http_access allow ncsaauth
acl src_01 src <exit1>
acl src_02 src <exit2>
acl src_03 src <exit3>
tcp_outgoing_address <exit1> src_01
tcp_outgoing_address <exit2> src_02
tcp_outgoing_address <exit3> src_03
acl first_req src 127.0.0.0/8
acl second_req src <exitnet>/29
cache_peer <exit1> parent 3128 0 round-robin no-query login=proxyadmin:password
cache_peer <exit2> parent 3128 0 round-robin no-query login=proxyadmin:password
cache_peer <exit3> parent 3128 0 round-robin no-query login=proxyadmin:password
cache_peer_access <exit1> allow first_req
cache_peer_access <exit2> allow first_req
cache_peer_access <exit3> allow first_req
cache_peer_access <exit1> deny second_req
cache_peer_access <exit2> deny second_req
cache_peer_access <exit3> deny second_req
never_direct allow first_req
never_direct deny second_req
I think that the configuration described in that link is a big mess. Use a standard Squid configuration and use iptables to distribute the load between your IPs:
iptables -t nat -A POSTROUTING -m statistic --mode nth --every 3 -j SNAT --to 192.168.1.201
iptables -t nat -A POSTROUTING -m statistic --mode nth --every 2 -j SNAT --to 192.168.1.202
iptables -t nat -A POSTROUTING -m statistic --mode nth --every 1 -j SNAT --to 192.168.1.203
Those IPs should be your local IPs.
Regards,
Diego
Related
I have an ELK stack. In front of both Logstash hosts, I set up two NGINX loadbalancers as transparent proxies.
UDP traffic is working as a charm.
TCP works with the config:
stream {
upstream syslog {
server sapvmlogstash01.sa.projectplace.com:514;
server sapvmlogstash02.sa.projectplace.com:514;
}
server {
listen 514;
proxy_pass syslog;
}
}
But I get as source_ip and source_host the LB instead of the input server's IP.
Setting the same adding proxy_bind $remote_addr transparent; doesn't work, throwing a timeout.
*1 upstream timed out (110: Connection timed out) while connecting to upstream, client: $SOURCEHOST_IP, server: 0.0.0.0:514, upstream: "$LOGSTASH_IP:514", bytes from/to client:0/0, bytes from/to upstream:0/0
I tried setting up TPROXY from here:
https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/
Logstash host:
route add default gw $NGINX_IP
route del default gw $DEFAULT_GW
NGINX host:
# Following nginx how-to
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p udp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -s $LOGSTASH_IP/24 --sport 514 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 0
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
# Enabling Upstream Servers to Reach External Servers
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
But still failing like before with the Timeout.
What is missing to get a transparent TCP host?
The official doc said:
proxy_bind $remote_addr transparent;
In order for this parameter to work, it is usually necessary to run nginx worker processes with the superuser privileges. On Linux it is not required (1.13.8) as if the transparent parameter is specified, worker processes inherit the CAP_NET_RAW capability from the master process. It is also necessary to configure kernel routing table to intercept network traffic from the proxied server.
FYI: https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/
It is common to access a container from out of host with simple iptable rules which forward a port on host to a port on container with container internal IP in hand
-A PREROUTING -d 1.2.3.4/32 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.4.10:80
So public IP 1.2.3.4 will routed to the container. with a proper dns record one can point a FQDN (eg: test.example.com) to this container also. and all things is working good til this point.
BUT in the host or in neighbor containers on same host, the FQDN is useless and not routed to that container.
Currently the dirty way is to point the FQDN to container private IP in /etc/hosts for host and all neighbor containers. but I think there is cleaner way to do that.
Can any one help?
UPDATE 1:
after alot of try and error, got this for host only. by setting this beside above rule it routes packets from host to that FQDN to container
iptables -A OUTPUT -d 1.2.3.4/32 -j DNAT --to-destination 10.0.4.10 -t nat
but nieghbor containers still cannot use that FQDN.
I am trying to build transparent proxy with squid on OpenBSD 5.7 with pf firewall.
I compile squid from source with below options:
$ squid -v
Squid Cache: Version **3.4.13**
configure options:
--prefix=/usr/local/squid
--with-default-user=squid
--enable-icmp
--enable-storeio=ufs,aufs
--enable-removal-policies=lru,heap
--disable-snmp
--disable-wccp
--disable-wccpv2
--enable-pf-transparent
--enable-ipv6
--enable-referer-log
--with-nat-devpf
--enable-debug-cbdata
--enable-useragent-log
--enable-refererlog
--enable-cache-digests
--with-large-files
--with-pthreads
--without-mit-krb5
--without-heimdal-krb5
--without-gnugss
--disable-eui
--disable-auth
--enable-ltdl-convenience
$ uname -a
OpenBSD dns.localdomain 5.7 GENERIC#825 amd64
My squid.conf:
visible_hostname dns.local
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# allow
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 127.0.0.1:3129 intercept
# disk cache directory.
cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Enabled gateway to connect Internet:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
pf.conf:
int_if = "vic1"
ext_if = "vic0"
lan_net = "192.168.1.0/24"
# Settings
set block-policy return
set loginterface egress
set skip on lo
# NAT
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass in quick log on $ext_if inet proto tcp from 192.168.1.0/24 to port www divert-to 127.0.0.1 port 3129
pass out quick log inet from 192.168.1.0/24 divert-reply
#
# Rules
#
block all
# allow dns
pass quick on {$int_if, $ext_if} inet proto udp from {self, $lan_net} to any port 53
# allow local access to web
pass quick on $ext_if inet proto tcp from {self} to any port 80
# allow icmp
pass quick on $int_if inet proto icmp from $lan_net to any
# allow ssh from $ext_if
pass quick on $ext_if inet proto tcp from any to ($ext_if) port 22
I think problem in pf rule. Because pf can not divert packet to port 3129? I've tested with command:
nc -l 3129
but it didn't response any HTTP header.
The rule in Squid wiki can not apply to pf because syntax error.
Thank You in advance
Maybe you mean $int_if instead of $ext_if on this rule? :
pass in quick log on $ext_if inet proto tcp from 192.168.1.0/24 to port www divert-to 127.0.0.1 port 3129
As I understand, you want to divert traffic comming from internal network to local port 3129.
I am new to OpenStack and I need to change default http port for dashboard(horizon) which is currently set to 80. I've installed/deployed OpenStack using devstack script.
Which configuration files do I need to touch and change?
Obviously, changing only /etc/apache2/sites-available/horizon.conf won't do the trick...
Well, just poor me... it was only a matter of Apache Virtualhost configuration. I added another Listen directive into ports.conf file.
Sorry for posting this stupid question.
If you only edit horizon.conf, the change won't last unstack && cleanup && stack.
To make it persistent, edit /your/devstack/location/files/apache-horizon.template adding the appropriate Listen directive.
However, you still need to change the Apache listen port, as it listens on 80 anyway.
Centos 7.4, OpenStack Pike & Queens instruction
Change Puppets module ports file config /etc/httpd/conf/ports.conf:
change line Listen 80 to Listen 8888
Change default host port /etc/httpd/conf.d/15-default.conf:
change line <VirtualHost *:80> to <VirtualHost *:8888>
Change Horizon host port /etc/httpd/conf.d/15-horizon_vhost.conf:
change line <VirtualHost *:80> to <VirtualHost *:8888>
Restart http server:
$ systemctl restart httpd.service
Modify iptables:
List the iptables rules with line numbers and remember one with Horizon (11 in my case)
$ iptables -L -n --line-numbers
[...]
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80 /* 001 horizon 80 incoming */
[...]
Insert the new rule at 11
$ iptables -I INPUT 11 -p tcp -m multiport --dports 8888 -j ACCEPT -m comment --comment "001 horizon 8888 incoming"
$ service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
Remove the old rule (11+1=12, check it: $ iptables -L -n --line-numbers)
$ iptables -D INPUT 12
$ service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
I am setting up iptables rules on the server where nginx and php-fpm are running. I have allow both 80 and 443 ports but as I see there are also addiitonal connections to higher ports that are blocked.
Sample output of
netstat -anpn | grep -v ":80"
tcp 0 1 10.0.0.1:8109 10.1.2.24:29837 SYN_SENT 19834/nginx: worker
tcp 0 1 10.2.3.45:31890 10.0.0.1:26701 SYN_SENT 17831/nginx: worker
10.0.0.1 is server IP, others are clients.
My iptables rules:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
Can someone explain:
Why do nginx uses ports different from standard 80 and 443.
What is this additional ports range?
How to properly allow connections to nginx with iptables?
Thanks in advance!
Nginx will typically perform internal redirects when processing a request and this will establish connections on high numbered ports. I do not believe you can find this range.
Here is what I see for example:
tcp 0 0 192.168.0.126:80 0.0.0.0:* LISTEN 9432/nginx: worker
tcp 0 0 192.168.0.126:80 192.168.0.177:62950 ESTABLISHED 9432/nginx: worker
tcp 0 0 192.168.0.126:80 192.168.0.177:62949 ESTABLISHED 9432/nginx: worker
tcp 0 0 192.168.0.126:80 192.168.0.177:62947 ESTABLISHED 9432/nginx: worker
unix 3 [ ] STREAM CONNECTED 29213 9432/nginx: worker
The reason your firewall rules work is because you:
Have opened the required ports that your Nginx server listeners need (i.e. 80 and 443)
You have included the following firewall rule that allows all requests to localhost (127.0.0.1) so Nginx internal redirects that open high numbered ports are not blocked:
iptables -A INPUT -i lo -j ACCEPT
So to answer your questions:
Nginx server listeners can listen to any port you like not just 80 and 443. Why it uses additional ports is for internal redirects and as such an aspect of the implementation.
I do not believe you can find this range. In fact I would doubt any code would ask the system to utilize a certain port but rather would ask the OS for a high numbered unused port.
You may not have realized it but the firewall rules you implemented should work fine.
I use PHP-FPM with Nginx as well. I block all ports except 22/80/443 in iptables and haven't experienced any issues with connectivity. I examined my own netstat and it looks identical to your output. Are you sure your iptables rules are correct? Could you post the output of sudo iptables -L