You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Saraswathi Venkataraman <sa...@Xoriant.Com> on 2012/05/22 14:59:04 UTC
Configuring traffic server on transparent proxy mode.
Hi,
I have three servers an apache webserver, a client server(VM) and the TS server with TS installed on it.
In order to set the TS on transparent proxy mode, I have disabled reverse_proxy mode and remap_required on records.config file.
The client server is configured in such a way that packets traceroute to the webserver via the TS.
I have done the following iptables routing on the TS server.
# reflow client web traffic to TPROXY
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j TPROXY \
--on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
# Let locally directed traffic pass through.
iptables -t mangle -A PREROUTING -i eth0 --source 10.60.96.254 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 --destination 10.60.96.254 -j ACCEPT
# Mark presumed return web traffic
iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --sport 80 -j MARK --set-mark 1/1
This did not change anything. It routed through TS and agve me the response, but I could not find anything logged in the squid log so I assumed, it did not go through TS at all. When I forced to intercept the packets using iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 10.60.96.254:8080
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
This gets logged as a request in SQUID logs but as ERR_CONNECT_FAIL/502.
Can anyone help me with what I am going wrong with, here?
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com<http://www.xoriant.com/>
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
Also, While I was experimenting with the iptables, i did a crazy thing. Being a newbie, I added some ip rules for loopback policy mentioned in the inline routing and I wanted to flush it. I thought ip rules flush would not flush the default rules in the main routing table but it did and not I am unable to dhcp/ssh to it. Is there any way it can be restored again.
________________________________________
From: Alan M. Carroll [amc@network-geographics.com]
Sent: Wednesday, May 23, 2012 10:02 AM
To: Saraswathi Venkataraman
Subject: Re: Configuring traffic server on transparent proxy mode.
Yes, but either you've configured that twice, or there is another process already listening on that port. Did you try the netstat command to see?
Tuesday, May 22, 2012, 11:32:16 PM, you wrote:
> I have used 8080 as the main http port. in proxy.config.http.server_port in records.config
> ________________________________________
> From: Alan M. Carroll [amc@network-geographics.com]
> Sent: Wednesday, May 23, 2012 9:41 AM
> To: Saraswathi Venkataraman
> Subject: Re: Configuring traffic server on transparent proxy mode.
> Then you've either configured ATS to use port 8080 elsewhere in the configuration, or some other process is using that port (such as HTTPD). Use
> netstat --tcp --listen -n
> to see if there is something there.
> Tuesday, May 22, 2012, 10:52:36 PM, you wrote:
>> If i do this, it says already listening on port 8080 and does not start up the traffic server
>> ________________________________________
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
I have not bound 8087 to anything. I Set 8087 for both http.serverpot and http.severother ports.
CONFIG proxy.config.http.server_port INT 8087
CONFIG proxy.config.http.server_port_attr STRING =
# to enable IPv6 listening on port 8080:
CONFIG proxy.config.http.server_other_ports STRING 8087:=
Net stat command gives:
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53496 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN
tcp 0 0 :::50638 :::* LISTEN
tcp 0 0 :::111 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 ::1:631 :::* LISTEN
tcp 0 0 ::1:25 :::* LISTEN
System log gives error as
Feb 7 07:55:04 localhost traffic_manager[2420]: NOTE: --- Manager Starting ---
Feb 7 07:55:04 localhost traffic_manager[2420]: NOTE: Manager Version: Apache Traffic Server - traffic_manager - 3.0.4 - (build # 41113 on May 11 2012 at 13:11:27)
Feb 7 07:55:04 localhost traffic_manager[2420]: NOTE: RLIMIT_NOFILE(7):cur(30000),max(30000)
Feb 7 07:55:04 localhost traffic_manager[2420]: {3079169856} STATUS: opened /usr/local/var/log/trafficserver/manager.log
Feb 7 07:55:04 localhost traffic_manager[2420]: {3079169856} ERROR: [bindProxyPort] Unable to bind socket: 8087 : Address already in use
Feb 7 07:55:04 localhost traffic_manager[2420]: {3079169856} ERROR: (last system error 98: Address already in use)
Feb 7 07:55:04 localhost traffic_cop[2341]: cop received child status signal [2420 256]
Feb 7 07:55:04 localhost traffic_cop[2341]: traffic_manager not running, making sure traffic_server is dead
Feb 7 07:55:04 localhost traffic_cop[2341]: unable to start traffic_manager, retrying in 60 second(s)
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Alan M. Carroll [mailto:amc@network-geographics.com]
Sent: Wednesday, May 23, 2012 10:02 AM
To: Saraswathi Venkataraman
Subject: Re: Configuring traffic server on transparent proxy mode.
Yes, but either you've configured that twice, or there is another process already listening on that port. Did you try the netstat command to see?
Tuesday, May 22, 2012, 11:32:16 PM, you wrote:
> I have used 8080 as the main http port. in proxy.config.http.server_port in records.config
> ________________________________________
> From: Alan M. Carroll [amc@network-geographics.com]
> Sent: Wednesday, May 23, 2012 9:41 AM
> To: Saraswathi Venkataraman
> Subject: Re: Configuring traffic server on transparent proxy mode.
> Then you've either configured ATS to use port 8080 elsewhere in the configuration, or some other process is using that port (such as HTTPD). Use
> netstat --tcp --listen -n
> to see if there is something there.
> Tuesday, May 22, 2012, 10:52:36 PM, you wrote:
>> If i do this, it says already listening on port 8080 and does not start up the traffic server
>> ________________________________________
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
I have not bound 8087 to anything. I Set 8087 for both http.serverpot and http.severother ports.
CONFIG proxy.config.http.server_port INT 8087 CONFIG proxy.config.http.server_port_attr STRING = # to enable IPv6 listening on port 8080:
CONFIG proxy.config.http.server_other_ports STRING 8087:=
Net stat command gives:
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53496 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5672 0.0.0.0:* LISTEN
tcp 0 0 :::50638 :::* LISTEN
tcp 0 0 :::111 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 ::1:631 :::* LISTEN
tcp 0 0 ::1:25 :::* LISTEN
System log gives error as
Feb 7 07:55:04 localhost traffic_manager[2420]: NOTE: --- Manager Starting --- Feb 7 07:55:04 localhost traffic_manager[2420]: NOTE: Manager Version: Apache Traffic Server - traffic_manager - 3.0.4 - (build # 41113 on May 11 2012 at 13:11:27) Feb 7 07:55:04 localhost traffic_manager[2420]: NOTE: RLIMIT_NOFILE(7):cur(30000),max(30000)
Feb 7 07:55:04 localhost traffic_manager[2420]: {3079169856} STATUS: opened /usr/local/var/log/trafficserver/manager.log
Feb 7 07:55:04 localhost traffic_manager[2420]: {3079169856} ERROR: [bindProxyPort] Unable to bind socket: 8087 : Address already in use Feb 7 07:55:04 localhost traffic_manager[2420]: {3079169856} ERROR: (last system error 98: Address already in use) Feb 7 07:55:04 localhost traffic_cop[2341]: cop received child status signal [2420 256] Feb 7 07:55:04 localhost traffic_cop[2341]: traffic_manager not running, making sure traffic_server is dead Feb 7 07:55:04 localhost traffic_cop[2341]: unable to start traffic_manager, retrying in 60 second(s)
If I set up the http.server.port to 8080 and other ports as 8087. Then it starts up, Why?
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Alan M. Carroll [mailto:amc@network-geographics.com]
Sent: Wednesday, May 23, 2012 10:02 AM
To: Saraswathi Venkataraman
Subject: Re: Configuring traffic server on transparent proxy mode.
Yes, but either you've configured that twice, or there is another process already listening on that port. Did you try the netstat command to see?
Tuesday, May 22, 2012, 11:32:16 PM, you wrote:
> I have used 8080 as the main http port. in proxy.config.http.server_port in records.config
> ________________________________________
> From: Alan M. Carroll [amc@network-geographics.com]
> Sent: Wednesday, May 23, 2012 9:41 AM
> To: Saraswathi Venkataraman
> Subject: Re: Configuring traffic server on transparent proxy mode.
> Then you've either configured ATS to use port 8080 elsewhere in the configuration, or some other process is using that port (such as HTTPD). Use
> netstat --tcp --listen -n
> to see if there is something there.
> Tuesday, May 22, 2012, 10:52:36 PM, you wrote:
>> If i do this, it says already listening on port 8080 and does not start up the traffic server
>> ________________________________________
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
Now, I have set http.port to 8087 to avoid the already listening to port, error
And set http.serverother port to 8080:=
Attr is =
And netstat shows
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8083 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8084 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8087 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
And now I send the packets to TS. It still gives 502 bad gateway. I can see the packets coming in and it is logged in squid .log but it does not receive the response. Why? I am clueless. I would be grateful if you could help me on this
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Alan M. Carroll [mailto:amc@network-geographics.com]
Sent: Wednesday, May 23, 2012 10:02 AM
To: Saraswathi Venkataraman
Subject: Re: Configuring traffic server on transparent proxy mode.
Yes, but either you've configured that twice, or there is another process already listening on that port. Did you try the netstat command to see?
Tuesday, May 22, 2012, 11:32:16 PM, you wrote:
> I have used 8080 as the main http port. in proxy.config.http.server_port in records.config
> ________________________________________
> From: Alan M. Carroll [amc@network-geographics.com]
> Sent: Wednesday, May 23, 2012 9:41 AM
> To: Saraswathi Venkataraman
> Subject: Re: Configuring traffic server on transparent proxy mode.
> Then you've either configured ATS to use port 8080 elsewhere in the configuration, or some other process is using that port (such as HTTPD). Use
> netstat --tcp --listen -n
> to see if there is something there.
> Tuesday, May 22, 2012, 10:52:36 PM, you wrote:
>> If i do this, it says already listening on port 8080 and does not start up the traffic server
>> ________________________________________
Re: Configuring traffic server on transparent proxy mode.
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
Yes, but either you've configured that twice, or there is another process already listening on that port. Did you try the netstat command to see?
Tuesday, May 22, 2012, 11:32:16 PM, you wrote:
> I have used 8080 as the main http port. in proxy.config.http.server_port in records.config
> ________________________________________
> From: Alan M. Carroll [amc@network-geographics.com]
> Sent: Wednesday, May 23, 2012 9:41 AM
> To: Saraswathi Venkataraman
> Subject: Re: Configuring traffic server on transparent proxy mode.
> Then you've either configured ATS to use port 8080 elsewhere in the configuration, or some other process is using that port (such as HTTPD). Use
> netstat --tcp --listen -n
> to see if there is something there.
> Tuesday, May 22, 2012, 10:52:36 PM, you wrote:
>> If i do this, it says already listening on port 8080 and does not start up the traffic server
>> ________________________________________
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
I have used 8080 as the main http port. in proxy.config.http.server_port in records.config
________________________________________
From: Alan M. Carroll [amc@network-geographics.com]
Sent: Wednesday, May 23, 2012 9:41 AM
To: Saraswathi Venkataraman
Subject: Re: Configuring traffic server on transparent proxy mode.
Then you've either configured ATS to use port 8080 elsewhere in the configuration, or some other process is using that port (such as HTTPD). Use
netstat --tcp --listen -n
to see if there is something there.
Tuesday, May 22, 2012, 10:52:36 PM, you wrote:
> If i do this, it says already listening on port 8080 and does not start up the traffic server
> ________________________________________
Re: Configuring traffic server on transparent proxy mode.
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
Then you've either configured ATS to use port 8080 elsewhere in the configuration, or some other process is using that port (such as HTTPD). Use
netstat --tcp --listen -n
to see if there is something there.
Tuesday, May 22, 2012, 10:52:36 PM, you wrote:
> If i do this, it says already listening on port 8080 and does not start up the traffic server
> ________________________________________
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
If i do this, it says already listening on port 8080 and does not start up the traffic server
________________________________________
From: Alan M. Carroll [amc@network-geographics.com]
Sent: Wednesday, May 23, 2012 6:10 AM
To: Saraswathi Venkataraman
Subject: Re: Configuring traffic server on transparent proxy mode.
Have you enabled transparency on the ATS port? E.g. to have full transparency on port 8080 you would need
CONFIG proxy.config.http.server_ports STRING 8080:tr-full
There are comments in records.config for this value with more information.
Tuesday, May 22, 2012, 7:59:04 AM, you wrote:
> In order to set the TS on transparent proxy mode, I have disabled reverse_proxy mode and remap_required on records.config file.
>
>
>
> The client server is configured in such a way that packets traceroute to the webserver via the TS.
>
>
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
Sorry, I had also added
ip -f inet route add local 0.0.0.0/0 dev eth0 table 100
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Alan M. Carroll [mailto:amc@network-geographics.com]
Sent: Wednesday, May 23, 2012 8:55 PM
To: Saraswathi Venkataraman
Subject: Re: Configuring traffic server on transparent proxy mode.
The use of server_port and server_other_ports is deprecated. You should use server_ports only, with "8080:tr-full". However the change was made so that those options should still work, although they will be removed in a future release. You should not under any circumstances use both server_port&server_other_ports and server_ports, that can cause port conflicts.
You are marking packets and using routing table 100. Do you define rules for table 100? Also, it looks like your divert chain marks packets the same way as your --dport rule. But if it works, then it's correct.
Wednesday, May 23, 2012, 8:18:24 AM, you wrote:
> Finally resolved it this way: It got configured on tproxy mode
Re: Configuring traffic server on transparent proxy mode (Bridge
Mode)
Posted by Alvin Alexander <al...@pesat.net.id>.
Mr. Alan,
I'm confused with your ebtables rules :
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 \
-j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 \
-j redirect --redirect-target DROP
While others use :
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 \
-j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 \
-j redirect --redirect-target ACCEPT
Regards,
Alvin
On 24/05/2012 6:51, Alan M. Carroll wrote:
> I would use just server_ports for all port description information. It was put in to do precisely that.
>
> For iptables, a "--set-mark 0x1/0x1 -j ACCEPT" is effectively the same as your DIVERT chain.
>
> I don't use the "-m socket" because once a stream is established normal routing will handle it. My iptables basically has two rules, one for --sport and one for --dport.
>
> Thursday, May 24, 2012, 1:13:20 AM, you wrote:
>
>> Thanks Alan.
>> Are there any alternative ways to implement it without redundancy so that I can compare and see what can be re moved? How do you suggest I implement it?
>> Thanks& Regards
>> Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
>> Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
>> Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
>
>> -----Original Message-----
>> From: Alan M. Carroll [mailto:amc@network-geographics.com]
>> Sent: Wednesday, May 23, 2012 8:55 PM
>> To: Saraswathi Venkataraman
>> Subject: Re: Configuring traffic server on transparent proxy mode.
>> The use of server_port and server_other_ports is deprecated. You should use server_ports only, with "8080:tr-full". However the change was made so that those options should still work, although they will be removed in a future release. You should not under any circumstances use both server_port&server_other_ports and server_ports, that can cause port conflicts.
>> You are marking packets and using routing table 100. Do you define rules for table 100? Also, it looks like your divert chain marks packets the same way as your --dport rule. But if it works, then it's correct.
>> Wednesday, May 23, 2012, 8:18:24 AM, you wrote:
>>> Finally resolved it this way: It got configured on tproxy mode
>
>
> ****************************************************************************************************************************************
> This footnote confirms that this email message has been scanned by PSN Anti-Spam system for presence of malicious code, vandals& computer viruses.
> ****************************************************************************************************************************************
>
>
>
>
Re: Configuring traffic server on transparent proxy mode.
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
The iptables rules must be interface specific. The dpt:80 rule must apply only to packets arriving on the client side interface, and the spt:80 must apply only to packets arriving on the origin side interface.
Thursday, June 7, 2012, 10:14:13 AM, you wrote:
> I flushed the iptables. This is what I have added to my iptables. I have the eth1 interface of TS1 to the client and eth2 to the webserver routed as default gateway.
> Table: mangle
> Chain PREROUTING (policy ACCEPT)
> num target prot opt source destination
> 1 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 MARK or 0x1
> 2 TPROXY tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
I flushed the iptables. This is what I have added to my iptables. I have the eth1 interface of TS1 to the client and eth2 to the webserver routed as default gateway.
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 MARK or 0x1
2 TPROXY tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
------------------------------
This is the result of ip rule list
0: from all lookup local
32765: from all fwmark 0x1/0x1 lookup 1
32766: from all lookup main
32767: from all lookup default
ip route show table 1
local default dev lo scope host
What else must I do. The packets are coming in, and getting routed directly to the webserver and getting the response. It is not going through trafficserver at all. Am I missing some iptable routing?
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Saraswathi Venkataraman [mailto:saraswathi.venkataraman@Xoriant.Com]
Sent: Thursday, June 07, 2012 8:03 PM
To: users@trafficserver.apache.org
Subject: RE: Configuring traffic server on transparent proxy mode.
The packets are still not getting forwarded to the ATS port. It directly gets the response from the server now today. Somehow the packets are not getting intercepted to ATS. I have the same iprules routes and iptables as below. Anything I am missing.
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Alan M. Carroll [mailto:amc@network-geographics.com]
Sent: Thursday, June 07, 2012 8:31 AM
To: users@trafficserver.apache.org
Subject: Re: Configuring traffic server on transparent proxy mode.
Could you provide some information about what the end result you are looking for? E.g. where are the clients, where are the origin servers / internet, which network paths should be transparent?
Unfortunately I am on vacation this week and so will not be particularly responsive.
My first comment would be that I have had not much success with using "socket" in my iptables rules. I think --sport 80 is better. One problem is that SYN/ACK may not be considered on a socket because it has not yet been established.
You seem to have a lot of rules in your ip rule list - why check for the all the interfaces if you are also just checking on the firewall mark?
Tuesday, June 5, 2012, 10:46:25 AM, you wrote:
> This is the ifconfig for our machine. We are trying to configure tproxy again on our machine.
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
The packets are still not getting forwarded to the ATS port. It directly gets the response from the server now today. Somehow the packets are not getting intercepted to ATS. I have the same iprules routes and iptables as below. Anything I am missing.
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Alan M. Carroll [mailto:amc@network-geographics.com]
Sent: Thursday, June 07, 2012 8:31 AM
To: users@trafficserver.apache.org
Subject: Re: Configuring traffic server on transparent proxy mode.
Could you provide some information about what the end result you are looking for? E.g. where are the clients, where are the origin servers / internet, which network paths should be transparent?
Unfortunately I am on vacation this week and so will not be particularly responsive.
My first comment would be that I have had not much success with using "socket" in my iptables rules. I think --sport 80 is better. One problem is that SYN/ACK may not be considered on a socket because it has not yet been established.
You seem to have a lot of rules in your ip rule list - why check for the all the interfaces if you are also just checking on the firewall mark?
Tuesday, June 5, 2012, 10:46:25 AM, you wrote:
> This is the ifconfig for our machine. We are trying to configure tproxy again on our machine.
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
Thank for your prompt reply. It was actually a firewall issue. The TS server was not configured to accept packets on port 80. Once I removed the firewall settings, it started to work.
And as u mentioned, I don't think we would require that man rules in the ip rule list. I removed the unnecessary ones.
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Alan M. Carroll [mailto:amc@network-geographics.com]
Sent: Thursday, June 07, 2012 8:31 AM
To: users@trafficserver.apache.org
Subject: Re: Configuring traffic server on transparent proxy mode.
Could you provide some information about what the end result you are looking for? E.g. where are the clients, where are the origin servers / internet, which network paths should be transparent?
Unfortunately I am on vacation this week and so will not be particularly responsive.
My first comment would be that I have had not much success with using "socket" in my iptables rules. I think --sport 80 is better. One problem is that SYN/ACK may not be considered on a socket because it has not yet been established.
You seem to have a lot of rules in your ip rule list - why check for the all the interfaces if you are also just checking on the firewall mark?
Tuesday, June 5, 2012, 10:46:25 AM, you wrote:
> This is the ifconfig for our machine. We are trying to configure tproxy again on our machine.
Re: Configuring traffic server on transparent proxy mode.
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
Could you provide some information about what the end result you are looking for? E.g. where are the clients, where are the origin servers / internet, which network paths should be transparent?
Unfortunately I am on vacation this week and so will not be particularly responsive.
My first comment would be that I have had not much success with using "socket" in my iptables rules. I think --sport 80 is better. One problem is that SYN/ACK may not be considered on a socket because it has not yet been established.
You seem to have a lot of rules in your ip rule list - why check for the all the interfaces if you are also just checking on the firewall mark?
Tuesday, June 5, 2012, 10:46:25 AM, you wrote:
> This is the ifconfig for our machine. We are trying to configure tproxy again on our machine.
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
This is the ifconfig for our machine. We are trying to configure tproxy again on our machine.
eth0 Link encap:Ethernet HWaddr 2C:76:8A:53:C8:DC
inet addr:192.168.115.100 Bcast:192.168.115.255 Mask:255.255.255.0
inet6 addr: fe80::2e76:8aff:fe53:c8dc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16125 errors:0 dropped:0 overruns:0 frame:0
TX packets:7367 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1700374 (1.6 MiB) TX bytes:4829093 (4.6 MiB)
Interrupt:32
eth1 Link encap:Ethernet HWaddr 2C:76:8A:53:C8:DD
inet6 addr: fe80::2e76:8aff:fe53:c8dd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2280896 errors:0 dropped:0 overruns:0 frame:0
TX packets:12838 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:187005928 (178.3 MiB) TX bytes:1389503 (1.3 MiB)
Interrupt:36
eth1.796 Link encap:Ethernet HWaddr 2C:76:8A:53:C8:DD
inet addr:10.60.255.254 Bcast:10.60.255.255 Mask:255.255.0.0
inet6 addr: fe80::2e76:8aff:fe53:c8dd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2271924 errors:0 dropped:0 overruns:0 frame:0
TX packets:12808 errors:0 dropped:6 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:136291894 (129.9 MiB) TX bytes:1278148 (1.2 MiB)
eth1.798 Link encap:Ethernet HWaddr 2C:76:8A:53:C8:DD
inet addr:10.61.255.254 Bcast:10.61.255.255 Mask:255.255.0.0
inet6 addr: fe80::2e76:8aff:fe53:c8dd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:275 errors:0 dropped:0 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14906 (14.5 KiB) TX bytes:2493 (2.4 KiB)
eth2 Link encap:Ethernet HWaddr 2C:76:8A:53:C8:DE
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:32
eth3 Link encap:Ethernet HWaddr 2C:76:8A:53:C8:DF
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:36
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:49707 errors:0 dropped:0 overruns:0 frame:0
TX packets:49707 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11216523 (10.6 MiB) TX bytes:11216523 (10.6 MiB)
Output of ip rule list is:
0: from all lookup local
32756: from all fwmark 0x1 lookup 100
32757: from all fwmark 0x1 iif eth2 lookup 100
32758: from all fwmark 0x1/0x1 lookup 1
32759: from all fwmark 0x1 lookup 1
32760: from all fwmark 0x1 iif eth3 lookup 100
32764: from all fwmark 0x1 iif eth0 lookup 100
32765: from all fwmark 0x1 iif eth1 lookup 100
32766: from all lookup main
32767: from all lookup default
And iptables -t mangle --list is:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DIVERT tcp -- anywhere anywhere socket
TPROXY tcp -- anywhere anywhere tcp dpt:http TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain DIVERT (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x1
ACCEPT all -- anywhere anywhere
Is there anything wrong with this?
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Alan M. Carroll [mailto:amc@network-geographics.com]
Sent: Thursday, May 24, 2012 6:59 PM
To: Saraswathi Venkataraman
Subject: Re: Configuring traffic server on transparent proxy mode.
That's all I have in my iptables on my test box and it works in forward transparent mode.
Thursday, May 24, 2012, 7:00:16 AM, you wrote:
> What exactly should I follow?
> Just these two will do?
> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j TPROXY \
> --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --sport 80 -j MARK --set-mark 1/1
Re: Configuring traffic server on transparent proxy mode.
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
That's all I have in my iptables on my test box and it works in forward transparent mode.
Thursday, May 24, 2012, 7:00:16 AM, you wrote:
> What exactly should I follow?
> Just these two will do?
> iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j TPROXY \
> --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
> iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --sport 80 -j MARK --set-mark 1/1
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
What exactly should I follow?
Just these two will do?
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j TPROXY \
--on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --sport 80 -j MARK --set-mark 1/1
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Alan M. Carroll [mailto:amc@network-geographics.com]
Sent: Thursday, May 24, 2012 5:22 PM
To: Saraswathi Venkataraman
Subject: Re: Configuring traffic server on transparent proxy mode.
I would use just server_ports for all port description information. It was put in to do precisely that.
For iptables, a "--set-mark 0x1/0x1 -j ACCEPT" is effectively the same as your DIVERT chain.
I don't use the "-m socket" because once a stream is established normal routing will handle it. My iptables basically has two rules, one for --sport and one for --dport.
Thursday, May 24, 2012, 1:13:20 AM, you wrote:
> Thanks Alan.
> Are there any alternative ways to implement it without redundancy so that I can compare and see what can be re moved? How do you suggest I implement it?
> Thanks & Regards
> Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
> Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
> Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
> -----Original Message-----
> From: Alan M. Carroll [mailto:amc@network-geographics.com]
> Sent: Wednesday, May 23, 2012 8:55 PM
> To: Saraswathi Venkataraman
> Subject: Re: Configuring traffic server on transparent proxy mode.
> The use of server_port and server_other_ports is deprecated. You should use server_ports only, with "8080:tr-full". However the change was made so that those options should still work, although they will be removed in a future release. You should not under any circumstances use both server_port&server_other_ports and server_ports, that can cause port conflicts.
> You are marking packets and using routing table 100. Do you define rules for table 100? Also, it looks like your divert chain marks packets the same way as your --dport rule. But if it works, then it's correct.
> Wednesday, May 23, 2012, 8:18:24 AM, you wrote:
>> Finally resolved it this way: It got configured on tproxy mode
Re: Configuring traffic server on transparent proxy mode (Bridge Mode)
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
My ebtables expert says DROP breaks the packet out of bridge mode so it can normally routed and processed by iptables. ACCEPT sends the packet on through the bridge, which is not useful for ATS.
Thursday, May 24, 2012, 8:02:18 AM, you wrote:
> Mr. Alan,
> I'm confused with your ebtables rules :
> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 \
> -j redirect --redirect-target DROP
> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 \
> -j redirect --redirect-target DROP
> While others use :
> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 \
> -j redirect --redirect-target ACCEPT
> ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 \
> -j redirect --redirect-target ACCEPT
> Please advice.
Re: Configuring traffic server on transparent proxy mode (Bridge
Mode)
Posted by Alvin Alexander <al...@pesat.net.id>.
Mr. Alan,
I'm confused with your ebtables rules :
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 \
-j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 \
-j redirect --redirect-target DROP
While others use :
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 \
-j redirect --redirect-target ACCEPT
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 \
-j redirect --redirect-target ACCEPT
Please advice.
Regards,
Alvin
On 24/05/2012 6:51, Alan M. Carroll wrote:
> I would use just server_ports for all port description information. It was put in to do precisely that.
>
> For iptables, a "--set-mark 0x1/0x1 -j ACCEPT" is effectively the same as your DIVERT chain.
>
> I don't use the "-m socket" because once a stream is established normal routing will handle it. My iptables basically has two rules, one for --sport and one for --dport.
>
> Thursday, May 24, 2012, 1:13:20 AM, you wrote:
>
>> Thanks Alan.
>> Are there any alternative ways to implement it without redundancy so that I can compare and see what can be re moved? How do you suggest I implement it?
>> Thanks& Regards
>> Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
>> Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
>> Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
>
>> -----Original Message-----
>> From: Alan M. Carroll [mailto:amc@network-geographics.com]
>> Sent: Wednesday, May 23, 2012 8:55 PM
>> To: Saraswathi Venkataraman
>> Subject: Re: Configuring traffic server on transparent proxy mode.
>> The use of server_port and server_other_ports is deprecated. You should use server_ports only, with "8080:tr-full". However the change was made so that those options should still work, although they will be removed in a future release. You should not under any circumstances use both server_port&server_other_ports and server_ports, that can cause port conflicts.
>> You are marking packets and using routing table 100. Do you define rules for table 100? Also, it looks like your divert chain marks packets the same way as your --dport rule. But if it works, then it's correct.
>> Wednesday, May 23, 2012, 8:18:24 AM, you wrote:
>>> Finally resolved it this way: It got configured on tproxy mode
>
>
> ****************************************************************************************************************************************
> This footnote confirms that this email message has been scanned by PSN Anti-Spam system for presence of malicious code, vandals& computer viruses.
> ****************************************************************************************************************************************
>
>
>
>
Re: Configuring traffic server on transparent proxy mode.
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
I would use just server_ports for all port description information. It was put in to do precisely that.
For iptables, a "--set-mark 0x1/0x1 -j ACCEPT" is effectively the same as your DIVERT chain.
I don't use the "-m socket" because once a stream is established normal routing will handle it. My iptables basically has two rules, one for --sport and one for --dport.
Thursday, May 24, 2012, 1:13:20 AM, you wrote:
> Thanks Alan.
> Are there any alternative ways to implement it without redundancy so that I can compare and see what can be re moved? How do you suggest I implement it?
> Thanks & Regards
> Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
> Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
> Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
> -----Original Message-----
> From: Alan M. Carroll [mailto:amc@network-geographics.com]
> Sent: Wednesday, May 23, 2012 8:55 PM
> To: Saraswathi Venkataraman
> Subject: Re: Configuring traffic server on transparent proxy mode.
> The use of server_port and server_other_ports is deprecated. You should use server_ports only, with "8080:tr-full". However the change was made so that those options should still work, although they will be removed in a future release. You should not under any circumstances use both server_port&server_other_ports and server_ports, that can cause port conflicts.
> You are marking packets and using routing table 100. Do you define rules for table 100? Also, it looks like your divert chain marks packets the same way as your --dport rule. But if it works, then it's correct.
> Wednesday, May 23, 2012, 8:18:24 AM, you wrote:
>> Finally resolved it this way: It got configured on tproxy mode
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
Thanks Alan.
Are there any alternative ways to implement it without redundancy so that I can compare and see what can be re moved? How do you suggest I implement it?
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com
-----Original Message-----
From: Alan M. Carroll [mailto:amc@network-geographics.com]
Sent: Wednesday, May 23, 2012 8:55 PM
To: Saraswathi Venkataraman
Subject: Re: Configuring traffic server on transparent proxy mode.
The use of server_port and server_other_ports is deprecated. You should use server_ports only, with "8080:tr-full". However the change was made so that those options should still work, although they will be removed in a future release. You should not under any circumstances use both server_port&server_other_ports and server_ports, that can cause port conflicts.
You are marking packets and using routing table 100. Do you define rules for table 100? Also, it looks like your divert chain marks packets the same way as your --dport rule. But if it works, then it's correct.
Wednesday, May 23, 2012, 8:18:24 AM, you wrote:
> Finally resolved it this way: It got configured on tproxy mode
Re: Configuring traffic server on transparent proxy mode.
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
The use of server_port and server_other_ports is deprecated. You should use server_ports only, with "8080:tr-full". However the change was made so that those options should still work, although they will be removed in a future release. You should not under any circumstances use both server_port&server_other_ports and server_ports, that can cause port conflicts.
You are marking packets and using routing table 100. Do you define rules for table 100? Also, it looks like your divert chain marks packets the same way as your --dport rule. But if it works, then it's correct.
Wednesday, May 23, 2012, 8:18:24 AM, you wrote:
> Finally resolved it this way: It got configured on tproxy mode
RE: Configuring traffic server on transparent proxy mode.
Posted by Saraswathi Venkataraman <sa...@Xoriant.Com>.
Finally resolved it this way: It got configured on tproxy mode
1. Set in records config file, proxy.config.http.server_port to 8080, proxy.config.http.server_port_attr to =(full transparent mode), disable proxy.config.url_remap.remap_required INT 0 (set to 0). Do not set proxy.config.http.server_other_ports
2. ip rule add dev eth0 fwmark 1 lookup 100( for all eth interfaces, eth0,1 and 2)
3. After taking backup:
a. echo 1 > /proc/sys/net/ipv4/ip_forward
b. echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
c. echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
d. echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
4. Setup a chain DIVERT to mark packets
a. iptables -t mangle -N DIVERT
b. iptables -t mangle -A DIVERT -j MARK --set-mark 1
c. iptables -t mangle -A DIVERT -j ACCEPT
5. Use DIVERT to prevent existing connections going through TPROXY twice:
a. iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
6. Mark all other (new) packets and use TPROXY to pass into TrafficServer:
a. iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8080
Does this sound correct?
Thanks & Regards
Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd.
Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA.
Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com<http://www.xoriant.com/>
-----Original Message-----
From: Alan M. Carroll [mailto:amc@network-geographics.com]
Sent: Wednesday, May 23, 2012 6:11 AM
To: Saraswathi Venkataraman
Subject: Re: Configuring traffic server on transparent proxy mode.
Have you enabled transparency on the ATS port? E.g. to have full transparency on port 8080 you would need
CONFIG proxy.config.http.server_ports STRING 8080:tr-full
There are comments in records.config for this value with more information.
Tuesday, May 22, 2012, 7:59:04 AM, you wrote:
> In order to set the TS on transparent proxy mode, I have disabled reverse_proxy mode and remap_required on records.config file.
>
>
>
> The client server is configured in such a way that packets traceroute to the webserver via the TS.
>
>
Re: Configuring traffic server on transparent proxy mode.
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
Have you enabled transparency on the ATS port? E.g. to have full transparency on port 8080 you would need
CONFIG proxy.config.http.server_ports STRING 8080:tr-full
There are comments in records.config for this value with more information.
Tuesday, May 22, 2012, 7:59:04 AM, you wrote:
> In order to set the TS on transparent proxy mode, I have disabled reverse_proxy mode and remap_required on records.config file.
>
>
>
> The client server is configured in such a way that packets traceroute to the webserver via the TS.
>
>