trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Muhammad Faisal <faisalu...@yahoo.com>
Subject Re: Setting up Transparent Proxy
Date Wed, 27 Jan 2016 07:49:01 GMT
Hi Alan,

Now on fresh system i have configured this as per your ApacheCon slides. 
Still no luck i dont see any packet when logging enabled on iptables 
because DIVERT action is missing.


Alan Guide:

ip rule add fwmark 1/1 table 1
ip route add local 0/0 dev lo table 1
iptables -t mangle -A PREROUTING -i em2 -p tcp -m tcp --dport 80 -j 
TPROXY --on-ip 0.0.0.0 --on-port 8080 --tproxy-mark 1/1
iptables -t mangle -A PREROUTING -i em1 -p tcp -m tcp --sport 80 -j MARK 
--set-mark 1/1
iptables -t filter --flush FORWARD
iptables -t filter --flush INPUT
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j 
redirect -- redirect-target DROP
ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j 
redirect -- redirect-target DROP

On 1/27/2016 9:59 AM, Muhammad Faisal wrote:
> Update:
> No downgraded to CentOS6.5, ATS 5.2.3
>
> Now the traffic.out showing logs but still http sites still not wokring.
>
> [Jan 26 23:57:05.125] Server {0x2b0986322700} DEBUG: (http_cs) 
> tcp_init_cwnd_set 0
> [Jan 26 23:57:05.125] Server {0x2b0986322700} DEBUG: (http_cs) desired 
> TCP congestion window is 0
> [Jan 26 23:57:05.125] Server {0x2b0986322700} DEBUG: (http_tunnel) 
> [3013] producer_handler [http server VC_EVENT_READ_COMPLETE]
> [Jan 26 23:57:05.125] Server {0x2b0986322700} DEBUG: (http_redirect) 
> [HttpTunnel::producer_handler] enable_redirection: [1 0 0] event: 102
> [Jan 26 23:57:05.125] Server {0x2b0986322700} DEBUG: (http) [3013] 
> [&HttpSM::tunnel_handler_server, VC_EVENT_READ_COMPLETE]
> [Jan 26 23:57:05.125] Server {0x2b0986322700} DEBUG: (http_ss) [3068] 
> session closing, netvc 0x2b09ac0110c0
> [Jan 26 23:57:05.125] Server {0x2b0986322700} DEBUG: (http_tunnel) 
> [3013] consumer_handler [user agent VC_EVENT_WRITE_COMPLETE]
> [Jan 26 23:57:05.125] Server {0x2b0986322700} DEBUG: (http) [3013] 
> [&HttpSM::tunnel_handler_ua, VC_EVENT_WRITE_COMPLETE]
> [Jan 26 23:57:05.125] Server {0x2b0986322700} DEBUG: (http_cs) [3013] 
> session closed
> [Jan 26 23:57:05.125] Server {0x2b0986322700} DEBUG: (http_cs) [3013] 
> session destroy
> [Jan 26 23:57:05.125] Server {0x2b0986322700} DEBUG: (http) [3013] 
> [HttpSM::main_handler, HTTP_TUNNEL_EVENT_DONE]
> [Jan 26 23:57:05.125] Server {0x2b0986322700} DEBUG: (http) [3013] 
> [&HttpSM::tunnel_handler, HTTP_TUNNEL_EVENT_DONE]
> [Jan 26 23:57:05.125] Server {0x2b0986322700} DEBUG: (http_redirect) 
> [HttpTunnel::deallocate_postdata_copy_buffers]
> [Jan 26 23:57:05.125] Server {0x2b0986322700} DEBUG: (http_redirect) 
> [HttpTunnel::deallocate_postdata_copy_buffers]
> [Jan 26 23:57:05.125] Server {0x2b0986322700} DEBUG: (http_seq) 
> Skipping cop heartbeat logging & stats due to config
> [Jan 26 23:57:05.125] Server {0x2b0986322700} DEBUG: (http) [3013] 
> deallocating sm
>
> Please help me out to configure ATS with tproxy.
>
> On 1/26/2016 11:18 AM, Muhammad Faisal wrote:
>> *Hi Alan,*
>> The output is as follows:
>>
>> [root@ATS ~]# ip route show table 100
>> local default dev lo  scope host
>>
>>
>> *IPtables rules showing increasing packet counts:*
>>
>> # Generated by iptables-save v1.4.7 on Tue Jan 26 11:09:34 2016
>> *mangle
>> :PREROUTING ACCEPT [1601:195856]
>> :INPUT ACCEPT [1853:208672]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [1588:275561]
>> :POSTROUTING ACCEPT [1588:275561]
>> :DIVERT - [0:0]
>> [1853:208672] -A PREROUTING -j LOG --log-prefix " Towards_ATS " 
>> --log-level 7
>> [252:12816] -A PREROUTING -i em2 -p tcp -m tcp --dport 80 -j TPROXY 
>> --on-port 8080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
>> [712:36656] -A PREROUTING -i em1 -p tcp -m tcp --sport 80 -j MARK 
>> --set-xmark 0x1/0x1
>> COMMIT
>> # Completed on Tue Jan 26 11:09:34 2016
>> [root@wc01 ~]# iptables-save -c
>> # Generated by iptables-save v1.4.7 on Tue Jan 26 11:09:35 2016
>> *mangle
>> :PREROUTING ACCEPT [1618:196819]
>> :INPUT ACCEPT [1873:209787]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [1604:277388]
>> :POSTROUTING ACCEPT [1604:277388]
>> :DIVERT - [0:0]
>> [1873:209787] -A PREROUTING -j LOG --log-prefix " Towards_ATS " 
>> --log-level 7
>> [255:12968] -A PREROUTING -i em2 -p tcp -m tcp --dport 80 -j TPROXY 
>> --on-port 8080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
>> [722:37168] -A PREROUTING -i em1 -p tcp -m tcp --sport 80 -j MARK 
>> --set-xmark 0x1/0x1
>> COMMIT
>> # Completed on Tue Jan 26 11:09:35 2016
>>
>>
>> On 1/26/2016 12:06 AM, Alan Carroll wrote:
>>> Two recommendations:
>>>
>>> What is the output of
>>>
>>> ip route show table 100
>>>
>>> Also you should look at the iptable rule counts to see if those 
>>> rules are being hit at all.
>>>
>>>
>>> On Monday, January 25, 2016 12:50 PM, Muhammad Faisal 
>>> <faisalusuf@yahoo.com> wrote:
>>>
>>>
>>> *Update:*
>>> When i flush ebtables the http browsing starts via bridge. But when 
>>> i put the below rules browsing stops:
>>>
>>> ebtables -t broute -A BROUTING -i em2 -p ipv4 --ip-proto tcp 
>>> --ip-dport 80 -j redirect --redirect-target DROP
>>> ebtables -t broute -A BROUTING -i em1 -p ipv4 --ip-proto tcp 
>>> --ip-sport 80 -j redirect --redirect-target DROP
>>>
>>> I ties logging both rules can see packets are being processed but 
>>> iptables rules logs are empty. Any clue i have upgraded the kernel 
>>> to 4.4 even still same situation.
>>>
>>> Thanks
>>>
>>> On 1/25/2016 11:12 PM, Muhammad Faisal wrote:
>>> *Hi Alan,*
>>> Thanks for your response. I went through your presentation (youtube 
>>> video + Slides) indeed before starting configuration. It enhanced my 
>>> understanding of ATS. However i found another straight forward step 
>>> by step process at this location which i followed: 
>>> http://apache-traffic-server.24303.n7.nabble.com/attachment/1638/0/ATS%20on%20Centos.txt
>>>
>>> When i remove ebtables rules the http browsing starts. Any suggestions?
>>>
>>> The output of traffic.out has nothing special seems no traffic is 
>>> processed by ATS (using latest stable release 6.0). Please see below
>>>
>>> *traffic.out *
>>> raffic_server: using root directory '/usr/local'
>>> /usr/local/bin/trafficserver restart
>>> [traffic_server: Terminated (Signal sent by kill() 4771 
>>> 0)TrafficManager] ==> Cleaning up and reissuing signal #15
>>> [E. Mgmt] log ==> [TrafficManager] using root directory '/usr/local'
>>> traffic_server: using root directory '/usr/local'
>>>
>>>
>>> */etc/sysctl.conf*
>>> net.ipv4.ip_forward = 1
>>> net.ipv4.conf.default.rp_filter = 0
>>> net.ipv4.conf.all.rp_filter = 0
>>> net.ipv4.conf.eth0.rp_filter = 0
>>> net.ipv4.conf.eth1.rp_filter = 0
>>> net.ipv4.conf.br0.rp_filter = 0
>>> *IPTABLES Rules in your apachecon ppt:*
>>> iptables -t mangle -A PREROUTING -i em2 -p tcp -m tcp --dport 80 -j TPROXY --on-ip
0.0.0.0 --on-port 8080 --tproxy-mark 0x1/0x1
>>> iptables -t mangle -A PREROUTING -i em1 -p tcp -m tcp --sport 80 -j MARK --set-mark
0x1/0x1
>>> *This is what i have applied on the server:*
>>> ============================================
>>> iptables -t mangle -N DIVERT
>>> iptables -t mangle -A DIVERT -j LOG --log-prefix ' Towards_ATS ' 
>>> --log-level 7
>>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>> iptables -t mangle -A DIVERT -j ACCEPT
>>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY 
>>> --tproxy-mark 0x1/0x1 --on-port 8080
>>> ===========================================
>>>
>>>
>>>
>>> On 1/25/2016 8:55 PM, Alan Carroll wrote:
>>>> You configuration to enable debugging is correct but there is no point in
adding it to traffic_logstat, it will have no effect. The debug output should be placed in
the var/log/trafficserver/traffic.out file.
>>>>
>>>> I need to check my notes (it's been a while since I worked with this) but
I think you iptables rules should be interface dependent (as with ebtables) to allow packets
to escape after going through ATS. I also don't recall using divert.
>>>>
>>>>
>>>> Did you set the /etc/sysctl.conf value?
>>>>
>>>> You might find this interesting -
>>>> https://www.dropbox.com/sh/h7erczfbt8ug8kn/cMyk4ukVSg?m  - it's a presentation
on transparent proxy.
>>>
>>>
>>>
>>>
>>
>


Mime
View raw message