Jump to content

Не работает Squid в связке с Strongswan.


Recommended Posts

Здравствуйте! Помогите решить проблему. Есть VPN сервер под управлением CentOS 6. На нем уже подняты и работают службы squid, openvpn, pptp. Squid работает в режиме прозрачного прокси и пользователи подключившиеся к серверу ходят через него. Сейчас пытаюсь настроить ipsec (strongswan), но в процессе настройки возникла проблема. Если в iptables включен просто nat, без перенаправления 80 порта на squid, сайты по http и https открываются, а если я заворачиваю 80 порт то http не работает только https. Проблема как я предполагаю в squid, только найти ее самостоятельно у меня не получилось, поэтому прошу вашей помощи.

Linux vpn 2.6.32-504.8.1.el6.i686 #1 SMP Wed Jan 28 18:25:26 UTC 2015 i686 i686 i386 GNU/Linux

squid

Squid Cache: Version 3.4.10configure options:  '--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu' '--target=i686-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--with-large-files' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl' '--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--without-nettle' 'build_alias=i686-redhat-linux-gnu' 'host_alias=i686-redhat-linux-gnu' 'target_alias=i686-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables -fPIC' 'PKG_CONFIG_PATH=/usr/lib/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience

iptables

-A PREROUTING -s 10.9.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3127-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j SNAT --to-source xxx.xxx.xxx.xxx-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH-A INPUT -i lo -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT-A INPUT -p esp -j ACCEPT-A INPUT -p ah -j ACCEPT-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m comment --comment "SSH" -j ACCEPT-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m comment --comment "HTTP" -j ACCEPT-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m comment --comment "HTTPs" -j ACCEPT-A INPUT -p tcp -m tcp --dport 1194 -m comment --comment "OpenVPN" -j ACCEPT-A INPUT -i ppp+ -p tcp -m tcp --dport 3128 -m comment --comment "Squid" -j ACCEPT-A INPUT -i tun0 -p tcp -m tcp --dport 3128 -m comment --comment "Squid" -j ACCEPT-A INPUT -i ipsec+ -p tcp -m tcp --dport 3128 -m comment --comment "Squid" -j ACCEPT-A INPUT -i ppp+ -p tcp -m tcp --dport 3127 -m comment --comment "Squid-Transparent" -j ACCEPT-A INPUT -i tun0 -p tcp -m tcp --dport 3127 -m comment --comment "Squid-Transparent" -j ACCEPT-A INPUT -i ipsec+ -p tcp -m tcp --dport 3127 -m comment --comment "Squid-Transparent" -j ACCEPT-A INPUT -p tcp -m tcp --dport 1723 -m comment --comment "PPTP" -j ACCEPT-A INPUT -p udp -m udp --dport 1194 -m comment --comment "OpenVPN" -j ACCEPT-A INPUT -p udp -m udp --dport 500 -m comment --comment "IPSec" -j ACCEPT-A INPUT -p udp -m udp --dport 4500 -m comment --comment "IPSec" -j ACCEPT-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A FORWARD -p icmp -j ACCEPT-A FORWARD -i ppp+ -o eth0 -j ACCEPT-A FORWARD -i eth0 -o ppp+ -j ACCEPT-A FORWARD -i tun0 -o eth0 -j ACCEPT-A FORWARD -i eth0 -o tun0 -j ACCEPT-A FORWARD -i tun0 -o ppp+ -j ACCEPT-A FORWARD -i ppp+ -o tun0 -j ACCEPT-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT-A OUTPUT -o lo -j ACCEPT-A OUTPUT -p icmp -j ACCEPT-A OUTPUT -p esp -j ACCEPT-A OUTPUT -p ah -j ACCEPT-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT-A OUTPUT -p udp -m udp --sport 500 -j ACCEPT-A OUTPUT -p tcp -m tcp --sport 1194 -j ACCEPT-A OUTPUT -p udp -m udp --sport 1194 -j ACCEPT-A OUTPUT -p udp -m udp --sport 4500 -j ACCEPT-A OUTPUT -p tcp -m tcp --sport 32768:61000 -j ACCEPT-A OUTPUT -p udp -m udp --sport 32768:61000 -j ACCEPT

squid.conf

#----------------------------------------------------------------acl localnet src 10.9.0.0/24acl office_hours        time            00:00-24:00#----------------------------------------------------------------acl SSL_ports port 443          # httpsacl SSL_ports port 563          # snewsacl SSL_ports port 873          # rsync#----------------------------------------------------------------acl Safe_ports port 21          # ftpacl Safe_ports port 25          # smtpacl Safe_ports port 70          # gopheracl Safe_ports port 80          # httpacl Safe_ports port 210         # waisacl Safe_ports port 280         # http-mgmtacl Safe_ports port 443         # httpsacl Safe_ports port 488         # gss-httpacl Safe_ports port 591         # filemakeracl Safe_ports port 631         # cupsacl Safe_ports port 777         # multiling httpacl Safe_ports port 873         # rsyncacl Safe_ports port 901         # SWATacl Safe_ports port 1025-65535  # unregistered portsacl purge method PURGEacl CONNECT method CONNECT#----------------------------------------------------------------http_port 10.9.0.1:3127 intercepthttp_port 10.9.0.1:3128#----------------------------------------------------------------always_direct allow all#----------------------------------------------------------------acl adblock url_regex "/etc/squid/adblock.acl"acl adblock-android dstdomain "/etc/squid/adblock-android.conf"#acl goodsites   dstdomain "/etc/squid/allowed-sites.conf"#acl blockfiles  urlpath_regex "/etc/squid/blocks.files.acl"#----------------------------------------------------------------http_access deny !Safe_portshttp_access deny CONNECT !SSL_ports#http_access allow localnet Safe_ports#----------------------------------------------------------------#http_access deny  pptp badsites#http_access allow pptp goodsites#http_access deny  pptphttp_access allow localnet CONNECThttp_access deny  localnet adblockhttp_access deny  localnet adblock-androidhttp_access allow localnet office_hours#----------------------------------------------------------------http_access deny allicp_access allow localneticp_access deny all#----------------------------------------------------------------hierarchy_stoplist cgi-bin ?#----------------------------------------------------------------access_log stdio:/var/log/squid/access.log squidcache_log /var/log/squid/cache.logcache_store_log stdio:/var/log/squid/store.logpid_filename /var/run/squid.piddebug_options ALL,1#----------------------------------------------------------------refresh_pattern ^ftp:           1440    20%     10080refresh_pattern ^gopher:        1440    0%      1440refresh_pattern -i (/cgi-bin/|\?) 0     0%      0refresh_pattern (Release|Package(.gz)*)$        0       20%     2880refresh_pattern .               0       20%     4320acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]acl apache rep_header Server ^Apache#----------------------------------------------------------------hosts_file /etc/hostscoredump_dir /var/spool/squiderror_directory /usr/share/squid/errors/ru-rucache_dir ufs /var/spool/squid 100 16 256shutdown_lifetime 5 seconds

ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file# basic configurationconfig setup        # strictcrlpolicy=yes        # uniqueids = no# Add connections here.# Sample VPN connectionsconn %default    dpdaction=clear    dpddelay=35s    dpdtimeout=200s    fragmentation=yes    # left - local (server) side    left=%any    leftauth=pubkey    leftcert=vpn.crt    leftsendcert=always    leftsubnet=0.0.0.0/0    # right - remote (client) side    right=%any    rightauth=pubkey    rightsourceip=10.9.0.128/25    rightdns=77.88.8.88,8.8.8.8conn ikev2-pubkey    keyexchange=ikev2    auto=addconn ikev1    keyexchange=ikev1    rightauth2=xauth    auto=addconn ikev2-eap-tls    also="ikev2-pubkey"    rightauth=eap-tls    eap_identity=%identity
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...