我正在尝试使用此处的说明使用 TPROXY 设置 Squid:https://wiki.squid-cache.org/Features/Tproxy4。 当我通过代理访问服务器时,我的目标是查看客户端的 IP,而不是代理的 IP。
我的设置中有 3 台机器:
P:代理机器(带有 Squid) - Fedora 33(也尝试过 Ubuntu 22.04)
内核设置:
cat /boot//config-$(uname -r) | grep TPROXY
CONFIG_NFT_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NF_TPROXY_IPV4=m
CONFIG_NF_TPROXY_IPV6=m
mangle Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DIVERT tcp -- anywhere anywhere socket
TPROXY tcp -- anywhere anywhere tcp dpt:http TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
Chain DIVERT (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x1
ACCEPT all -- anywhere anywhere
路由规则(也尝试用 lo 而不是 ens192)
ip -f inet rule add fwmark 1 lookup 100
ip -f inet route add local default dev ens192 table 100
鱿鱼有
--enable-linux-netfiltersquid -vsquid.conf:
debug_options ALL,5
http_access allow all
http_port 3128
http_port 3129 tproxy
cache deny all
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
我尝试连接时的部分鱿鱼记录:
access.log:
1682085494.697 60656 C_IP TCP_MISS/503 3997 GET http://S_IP/somefile - ORIGINAL_DST/P_IP text/html
cache.log:
kid1| 50,3| comm.cc(349) comm_openex: comm_openex: Attempt open socket for: C_IP
kid1| 50,3| comm.cc(392) comm_openex: comm_openex: Opened socket conn54 local=C_IP remote=[::] FD 16 flags=1 : family=2, type=1, protocol=6
kid1| 5,5| comm.cc(425) comm_init_opened: conn54 local=C_IP remote=[::] FD 16 flags=1 is a new socket
kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 16 S_IP
kid1| 5,4| AsyncCall.cc(29) AsyncCall: The AsyncCall Comm::ConnOpener::earlyAbort constructed, this=0x557efe7582f0 [call3188]
kid1| 5,5| comm.cc(997) comm_add_close_handler: comm_add_close_handler: FD 16, AsyncCall=0x557efe7582f0*1
kid1| 5,4| AsyncCall.cc(29) AsyncCall: The AsyncCall Comm::ConnOpener::timeout constructed, this=0x557efe2ffd80 [call3189]
kid1| 5,3| ConnOpener.cc(291) createFd: conn53 local=C_IP remote=P_IP:3129 ORIGINAL_DST flags=25 will timeout in 60
kid1| 5,5| comm.cc(654) comm_connect_addr: sock=16, addrinfo( flags=4, family=2, socktype=1, protocol=6, &addr=0x557efe75d070, addrlen=16 )
kid1| 5,5| ConnOpener.cc(345) doConnect: conn53 local=C_IP remote=P_IP:3129 ORIGINAL_DST flags=25: Comm::INPROGRESS
kid1| 5,5| ModEpoll.cc(116) SetSelect: FD 16, type=2, handler=1, client_data=0x557efe75d070, timeout=0
S:服务器机器
没有流量到达服务器。有一个 apache 侦听端口 80.
C:客户端机器
运行
curl -x http://P_IP:3129 -L http://S_IP:80/somefile Connection to S_IP failed.
The system returned: (110) Connection timed out
The remote host or network may be down. Please try the request again.
运行
wget -e use_proxy=yes -e http_proxy=P_IP:3129 http://S_IP:80 Connecting to P_IP:3129... connected.
Proxy request sent, awaiting response... 503 Service Unavailable
使用正常的代理端口 3128 按预期工作。
当我尝试通过 TPROXY 端口使用代理时,没有流量到达服务器。我该如何进一步调试,我做错了什么?