You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by 魏晋 <we...@gmail.com> on 2010/12/27 07:50:02 UTC
transparent proxy document problems
Hi
I build ATS for transparent, and I configured the computer in
bridge mode according to the "Inline on Linux bridge" document.
However, the transparent proxy did not work, even not receive the
client request.
the ats version: 2.1.4-unstable
the os system: ubuntu-10.04(kernel: 2.6.32-27-generic)
the record.config file
...
proxy.config.http.server_port INT 8080
proxy.config.http.server_port_attr STRING =
proxy.config.reverse_proxy.enable INT 1
proxy.config.url_remap.remap_required INT 0
proxy.config.cluster.ethernet_interface STRING br0
BTW: I added "-t mangle" in the two iptables commands, or they
would generate the error message
"iptables: No chain/target/match by that name." in my system.
my system config
brctl addbr br0 # create bridge device
brctl stp br0 off # Disable spanning tree protocol
brctl addif br0 eth0 # Add eth0 to bridge
brctl addif br0 eth1 # Add eth1 to bridge
ifconfig eth0 0 0.0.0.0 # Get rid of interface IP addresses
ifconfig eth1 0 0.0.0.0 # ditto
# Set the bridge IP address and enable it
ifconfig br0 192.168.8.206 netmask 255.255.255.0 up
route add default gw 192.168.8.1
ebtables -t broute -F
# inbound traffic
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 \
-j redirect --redirect-target DROP
# returning outbound traffic
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 \
-j redirect --redirect-target DROP
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 \
-j TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --sport 80 \
-j MARK --set-mark 1/1
Re: transparent proxy document problems
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
I have ATS working in fully transparent mode on a bridged Linux box once again.
Could you check the FILTER chain to make sure that's not preventing connections?
Just to double check, you could do HTTP requests across the bridge before trying to get ATS to work?
Here are some command outputs from my working system. You should check them against yours.
[root@tidus ~]# iptables-save
# Generated by iptables-save v1.4.7 on Mon Jan 3 21:48:59 2011
*mangle
:PREROUTING ACCEPT [62665:33268149]
:INPUT ACCEPT [47460:28434552]
:FORWARD ACCEPT [22286:5671065]
:OUTPUT ACCEPT [38554:11735201]
:POSTROUTING ACCEPT [60855:17406859]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j TPROXY --on-port 8080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A PREROUTING -i eth0 -p tcp -m tcp --sport 80 -j MARK --set-xmark 0x1/0x1
COMMIT
# Completed on Mon Jan 3 21:48:59 2011
# Generated by iptables-save v1.4.7 on Mon Jan 3 21:48:59 2011
*filter
:INPUT ACCEPT [47484:28436623]
:FORWARD ACCEPT [22333:5679872]
:OUTPUT ACCEPT [38568:11736735]
COMMIT
# Completed on Mon Jan 3 21:48:59 2011
[root@tidus ~]# ebtables-save
# Generated by ebtables-save v1.0 on Mon Jan 3 21:49:15 CST 2011
*broute
:BROUTING ACCEPT
-A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target
DROP
-A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target
DROP
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
[root@tidus ~]# ip rule show
0: from all lookup local
32763: from all fwmark 0x1/0x1 lookup 1
32766: from all lookup main
32767: from all lookup default
[root@tidus ~]# ip route show table 1
local default dev lo scope host
Re: transparent proxy document problems
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
I've tried setting it up again but I am having problems as well. When I get it working, I will update the documentation and (hopefully!) provide further hints for you.
Friday, December 31, 2010, 7:57:07 AM, you wrote:
> yes, the clients is attached to interface eth1 in router mode, and
> the clients client can access origin server in bridge mode, with out
> ebtables / iptables changes.
> The two ebtables commands can indeed intercept the packet/frame, but
> I am not sure whether the iptables commands work or not.
> My router configuration:
> iptables -F
> iptables - t nat -F
> iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE
> iptables –append FORWARD –in-interface eth1 -j ACCEPT
> echo 1 > /proc/sys/net/ipv4/ip_forward
> .... # commands according to the "Inline in linux router" document
> 2010/12/30 Alan M. Carroll <am...@network-geographics.com>:
>> Thursday, December 30, 2010, 3:44:00 AM, you wrote:
>>> Thanks for your reply.
>>> Yes, I set up the policy routing, according to the "Inline on Linux
>>> bridge" document, but it did not work. The way the "Inline on a Linux
>>> router" document tells us did not work neither. The ats just can not
>>> accept any request in transparent mode.
>> Are you certain that the client is attached to interface eth1? The treatment of the client side and origin server side interfaces is not symmetric.
>> Does the bridge work without ATS and the ebtables / iptables changes?
Re: transparent proxy document problems
Posted by 魏晋 <we...@gmail.com>.
yes, the clients is attached to interface eth1 in router mode, and
the clients client can access origin server in bridge mode, with out
ebtables / iptables changes.
The two ebtables commands can indeed intercept the packet/frame, but
I am not sure whether the iptables commands work or not.
My router configuration:
iptables -F
iptables - t nat -F
iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE
iptables –append FORWARD –in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
.... # commands according to the "Inline in linux router" document
2010/12/30 Alan M. Carroll <am...@network-geographics.com>:
> Thursday, December 30, 2010, 3:44:00 AM, you wrote:
>
>> Thanks for your reply.
>> Yes, I set up the policy routing, according to the "Inline on Linux
>> bridge" document, but it did not work. The way the "Inline on a Linux
>> router" document tells us did not work neither. The ats just can not
>> accept any request in transparent mode.
>
> Are you certain that the client is attached to interface eth1? The treatment of the client side and origin server side interfaces is not symmetric.
>
> Does the bridge work without ATS and the ebtables / iptables changes?
>
>
Re: transparent proxy document problems
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
Thursday, December 30, 2010, 3:44:00 AM, you wrote:
> Thanks for your reply.
> Yes, I set up the policy routing, according to the "Inline on Linux
> bridge" document, but it did not work. The way the "Inline on a Linux
> router" document tells us did not work neither. The ats just can not
> accept any request in transparent mode.
Are you certain that the client is attached to interface eth1? The treatment of the client side and origin server side interfaces is not symmetric.
Does the bridge work without ATS and the ebtables / iptables changes?
Re: transparent proxy document problems
Posted by 魏晋 <we...@gmail.com>.
Thanks for your reply.
Yes, I set up the policy routing, according to the "Inline on Linux
bridge" document, but it did not work. The way the "Inline on a Linux
router" document tells us did not work neither. The ats just can not
accept any request in transparent mode.
2010/12/29 Alan M. Carroll <am...@network-geographics.com>:
> Sorry for the delay, it's been very hectic here with other projects.
>
> Let me check on the -t mangle issue, that looks like a typo.
>
> Did you set up the policy routing? I don't see that mentioned here.
>
> Monday, December 27, 2010, 12:50:02 AM, you wrote:
>
>> Hi
>> I build ATS for transparent, and I configured the computer in
>> bridge mode according to the "Inline on Linux bridge" document.
>> However, the transparent proxy did not work, even not receive the
>> client request.
>
>> the ats version: 2.1.4-unstable
>> the os system: ubuntu-10.04(kernel: 2.6.32-27-generic)
>
>> the record.config file
>> ...
>> proxy.config.http.server_port INT 8080
>> proxy.config.http.server_port_attr STRING =
>> proxy.config.reverse_proxy.enable INT 1
>> proxy.config.url_remap.remap_required INT 0
>> proxy.config.cluster.ethernet_interface STRING br0
>
>> BTW: I added "-t mangle" in the two iptables commands, or they
>> would generate the error message
>> "iptables: No chain/target/match by that name." in my system.
>
>> my system config
>
>> brctl addbr br0 # create bridge device
>> brctl stp br0 off # Disable spanning tree protocol
>> brctl addif br0 eth0 # Add eth0 to bridge
>> brctl addif br0 eth1 # Add eth1 to bridge
>
>> ifconfig eth0 0 0.0.0.0 # Get rid of interface IP addresses
>> ifconfig eth1 0 0.0.0.0 # ditto
>> # Set the bridge IP address and enable it
>> ifconfig br0 192.168.8.206 netmask 255.255.255.0 up
>> route add default gw 192.168.8.1
>> ebtables -t broute -F
>> # inbound traffic
>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 \
>> -j redirect --redirect-target DROP
>> # returning outbound traffic
>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 \
>> -j redirect --redirect-target DROP
>
>> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 \
>> -j TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
>> iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --sport 80 \
>> -j MARK --set-mark 1/1
>
>
Re: transparent proxy document problems
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
Sorry for the delay, it's been very hectic here with other projects.
Let me check on the -t mangle issue, that looks like a typo.
Did you set up the policy routing? I don't see that mentioned here.
Monday, December 27, 2010, 12:50:02 AM, you wrote:
> Hi
> I build ATS for transparent, and I configured the computer in
> bridge mode according to the "Inline on Linux bridge" document.
> However, the transparent proxy did not work, even not receive the
> client request.
> the ats version: 2.1.4-unstable
> the os system: ubuntu-10.04(kernel: 2.6.32-27-generic)
> the record.config file
> ...
> proxy.config.http.server_port INT 8080
> proxy.config.http.server_port_attr STRING =
> proxy.config.reverse_proxy.enable INT 1
> proxy.config.url_remap.remap_required INT 0
> proxy.config.cluster.ethernet_interface STRING br0
> BTW: I added "-t mangle" in the two iptables commands, or they
> would generate the error message
> "iptables: No chain/target/match by that name." in my system.
> my system config
> brctl addbr br0 # create bridge device
> brctl stp br0 off # Disable spanning tree protocol
> brctl addif br0 eth0 # Add eth0 to bridge
> brctl addif br0 eth1 # Add eth1 to bridge
> ifconfig eth0 0 0.0.0.0 # Get rid of interface IP addresses
> ifconfig eth1 0 0.0.0.0 # ditto
> # Set the bridge IP address and enable it
> ifconfig br0 192.168.8.206 netmask 255.255.255.0 up
> route add default gw 192.168.8.1
> ebtables -t broute -F
> # inbound traffic
> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 \
> -j redirect --redirect-target DROP
> # returning outbound traffic
> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 \
> -j redirect --redirect-target DROP
> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 \
> -j TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --sport 80 \
> -j MARK --set-mark 1/1
Re: transparent proxy document problems
Posted by 魏晋 <we...@gmail.com>.
yes, i `ve tried the standard forward way, the ats can not received
the request neither. If no build for transparent, the forward way
works.
2010/12/27 ming.zym@gmail.com <mi...@gmail.com>:
> have you try the standard forward proxy setup?
> the common forwarding proxy should at least set:
> * traffic_line -s proxy.config.reverse_proxy.enabled -v 0
> * traffic_line -s proxy.config.url_remap.remap_required -v 0
> have you change proxy.config.url_remap.remap_required to '0'? the
> default is '1' for reverse proxy.
>
> I's sugest you setup a standard proxy first. turn on debug mode help you
> at any question.
>
> thanks
>
> 在 2010-12-27一的 14:50 +0800,魏晋写道:
>> Hi
>> I build ATS for transparent, and I configured the computer in
>> bridge mode according to the "Inline on Linux bridge" document.
>> However, the transparent proxy did not work, even not receive the
>> client request.
>>
>> the ats version: 2.1.4-unstable
>> the os system: ubuntu-10.04(kernel: 2.6.32-27-generic)
>>
>> the record.config file
>> ...
>> proxy.config.http.server_port INT 8080
>> proxy.config.http.server_port_attr STRING =
>> proxy.config.reverse_proxy.enable INT 1
>> proxy.config.url_remap.remap_required INT 0
>> proxy.config.cluster.ethernet_interface STRING br0
>>
>> BTW: I added "-t mangle" in the two iptables commands, or they
>> would generate the error message
>> "iptables: No chain/target/match by that name." in my system.
>>
>> my system config
>>
>> brctl addbr br0 # create bridge device
>> brctl stp br0 off # Disable spanning tree protocol
>> brctl addif br0 eth0 # Add eth0 to bridge
>> brctl addif br0 eth1 # Add eth1 to bridge
>>
>> ifconfig eth0 0 0.0.0.0 # Get rid of interface IP addresses
>> ifconfig eth1 0 0.0.0.0 # ditto
>> # Set the bridge IP address and enable it
>> ifconfig br0 192.168.8.206 netmask 255.255.255.0 up
>> route add default gw 192.168.8.1
>> ebtables -t broute -F
>> # inbound traffic
>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 \
>> -j redirect --redirect-target DROP
>> # returning outbound traffic
>> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 \
>> -j redirect --redirect-target DROP
>>
>> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 \
>> -j TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
>> iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --sport 80 \
>> -j MARK --set-mark 1/1
>
>
>
Re: transparent proxy document problems
Posted by "ming.zym@gmail.com" <mi...@gmail.com>.
have you try the standard forward proxy setup?
the common forwarding proxy should at least set:
* traffic_line -s proxy.config.reverse_proxy.enabled -v 0
* traffic_line -s proxy.config.url_remap.remap_required -v 0
have you change proxy.config.url_remap.remap_required to '0'? the
default is '1' for reverse proxy.
I's sugest you setup a standard proxy first. turn on debug mode help you
at any question.
thanks
在 2010-12-27一的 14:50 +0800,魏晋写道:
> Hi
> I build ATS for transparent, and I configured the computer in
> bridge mode according to the "Inline on Linux bridge" document.
> However, the transparent proxy did not work, even not receive the
> client request.
>
> the ats version: 2.1.4-unstable
> the os system: ubuntu-10.04(kernel: 2.6.32-27-generic)
>
> the record.config file
> ...
> proxy.config.http.server_port INT 8080
> proxy.config.http.server_port_attr STRING =
> proxy.config.reverse_proxy.enable INT 1
> proxy.config.url_remap.remap_required INT 0
> proxy.config.cluster.ethernet_interface STRING br0
>
> BTW: I added "-t mangle" in the two iptables commands, or they
> would generate the error message
> "iptables: No chain/target/match by that name." in my system.
>
> my system config
>
> brctl addbr br0 # create bridge device
> brctl stp br0 off # Disable spanning tree protocol
> brctl addif br0 eth0 # Add eth0 to bridge
> brctl addif br0 eth1 # Add eth1 to bridge
>
> ifconfig eth0 0 0.0.0.0 # Get rid of interface IP addresses
> ifconfig eth1 0 0.0.0.0 # ditto
> # Set the bridge IP address and enable it
> ifconfig br0 192.168.8.206 netmask 255.255.255.0 up
> route add default gw 192.168.8.1
> ebtables -t broute -F
> # inbound traffic
> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 \
> -j redirect --redirect-target DROP
> # returning outbound traffic
> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 \
> -j redirect --redirect-target DROP
>
> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 \
> -j TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --sport 80 \
> -j MARK --set-mark 1/1