Hi All, We are using a transparent proxy on our LAN. The redirection is handled by the firewall which is running Shorewall-Perl 4.0.4-1. The method for achieving this is exactly as laid out in the Shorewall docs: http://www.shorewall.net/Shorewall_Squid_Usage.html Now for the strange part. Some of our users, all Mac OSX 10.5.1, get their routing tables hosed when using transparent proxy. The sequence goes like this: 1. Open a URL in a DMZ eg, https://mail.lan.domain.com/ This will work and display our webmail interface. 2. Now open the same URL without the SSL (ie, http://mail.lan...) This time the transparent proxy rule is invoked, and the client receives an ICMP-redirect to use the proxy. Unfortunately this rewrites the route for the internal mail server with the proxy as the gateway! If you swap the sequence, the SSL site will fail as the route has already been rewritten by accessing over port 80 and the proxy wont transparently handle SSL traffic (nor should it!). Here''s an example before the ICMP-redirect: iceman:~ james$ sudo route get mail route to: mail destination: default mask: default gateway: firewall interface: en1 flags: <UP,GATEWAY,DONE,STATIC,PRCLONING> recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire 0 0 0 0 0 0 1500 0 Here''s what the route monitor has to say: got message of size 140 on Mon Dec 3 14:22:55 2007 RTM_REDIRECT: Told to use different route: len 140, pid: 0, seq 0, errno 0, flags:<GATEWAY,HOST,MODIFIED,DONE> locks: inits: sockaddrs: <DST,GATEWAY,AUTHOR> mail proxy1 firewall And after this ICMP-redirect the route looks like this: iceman:~ james$ sudo route get mail Password: route to: mail destination: mail gateway: proxy1 interface: en1 flags: <UP,GATEWAY,HOST,MODIFIED,DONE,WASCLONED,PROTO3> recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire 0 0 0 0 0 0 1500 571 Obviously there is the option to tell browsers to use the proxy manually, and that will avoid the problem. However, that is a work-around, not a solution in our situation. So my question to the list is whether or not there is a better way to do this (WCCP with Shorewall and Squid maybe)? Using ICMP-redirect with OSX clients breaks routing to our DMZ''s (we have two). Thanks in advance, James -- A motion to adjourn is always in order. ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
You are beginning to discover just how bizarre and broken the idea of a ''transparent'' http proxy really is. It''s not actually possible to have a truly transparent one that isn''t somehow broken (although it is sometimes possible to have one that is broken only in ways you don''t care about, and there''s insufficient information to determine whether this applies in your case). However... On Mon, Dec 03, 2007 at 02:31:28PM +1100, James Gray wrote:> Obviously there is the option to tell browsers to use the proxy > manually, and that will avoid the problem. However, that is a > work-around, not a solution in our situation. > > So my question to the list is whether or not there is a better way > to do this (WCCP with Shorewall and Squid maybe)?Deploy WPAD, via both DHCP and DNS (because Firefox and IE cannot agree on how to handle it), to automatically deliver the explicit proxy configuration to the browsers. Firefox users may have to enable "auto-detect proxy settings for this network" in their preferences, defaults vary. IE always has it enabled by default. I don''t know the macosx defaults offhand. Basically it consists of a well-known DNS name and a DHCP option that both point to a pac file on a local http server. The rest proceeds as if you''d fed that pac file to the browser directly. It''s not strictly transparent, but it is zero-configuration on the client, which is the usual objective. ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
James Gray wrote:> > So my question to the list is whether or not there is a better way to do this > (WCCP with Shorewall and Squid maybe)? Using ICMP-redirect with OSX clients > breaks routing to our DMZ''s (we have two). >Then turn off ICMP redirects. In /etc/shorewall/init: echo 0 > /proc/sys/net/ipv4/conf/<internal-if>/send_redirects -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
On Mon, 3 Dec 2007 02:31:28 pm James Gray wrote: ** SNIPPED **> So my question to the list is whether or not there is a better way to do > this (WCCP with Shorewall and Squid maybe)? Using ICMP-redirect with OSX > clients breaks routing to our DMZ''s (we have two).Having spare NIC''s floating around, we simply created a new DMZ (which was a planned modification anyway) and moved the proxy to the DMZ. Again, following the steps on the Shorewall website it was trivial to set up and get functioning. The only minor headache was the re-work for the traffic shaping and ISP selection (we have 2 ISP''s). Thanks to Tom and Andrew for their suggestions. In the end, we opted for simply bringing forward a (minor) planned network restructure and move the proxy which has solved all the problems we were having. Cheers, James -- * Phaedrus wishes he could get a machine that consists of Sparc IO, Alpha Processors and sleek design of an SGI <pp> And intel prices -- Seen on #Linux ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4