trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Muhammad Faisal <faisalu...@yahoo.com>
Subject Re: Setting up Transparent Proxy
Date Sun, 24 Jan 2016 18:40:39 GMT
Hi James,Thanks you for your response. Below is the configuration on my ATS box:
Scenario:
[Client]------Router1-------em2-------ATS---------em1--------Router2---------Internet
Note: After configuring bridge it was verified that all clients are able to browse internet
before ATS configurations. only http sites are not working but https is working fine.
Deployment Details:ATS version: 6.0OS Version: CentOS 6.7 x64
Networking Details:Bridge: em1, em2 (eth0,eth1)em1 connecting to Internetem2 connecting to
client side routerem4 for management purposeClient on real IP different subnetBridge subnet
is different than client subnet
ATS Configuration:CONFIG proxy.config.http.server_ports STRING 8080:tr-full
CONFIG proxy.config.cluster.ethernet_interface STRING br0
CONFIG proxy.config.reverse_proxy.enabled INT 1 (documentation says for fully transparent
this should be set to 1)
CONFIG proxy.config.url_remap.remap_required INT 0IP Route Rule:Default gateway via br0 interface
IP Rules:0:      from all lookup local32765:  from all fwmark 0x1 lookup 10032766:  from
all lookup main32767:  from all lookup default
ebtables Rules:[root@ATS~]# ebtables-save
# Generated by ebtables-save v1.0 on Sun Jan 24 23:08:37 PKT 2016*filter:INPUT ACCEPT:FORWARD
ACCEPT:OUTPUT ACCEPT
*broute:BROUTING ACCEPT-A BROUTING -p IPv4 -i em2 --ip-proto tcp --ip-dport 80 -j redirect
 --redirect-target DROP-A BROUTING -p IPv4 -i em1 --ip-proto tcp --ip-sport 80 -j redirect
 --redirect-target DROP
iptables Rules:
# Generated by iptables-save v1.4.7 on Sun Jan 24 23:10:04 2016*mangle:PREROUTING ACCEPT [159446:11225783]:INPUT
ACCEPT [344226:50075640]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [297742:49115316]:POSTROUTING
ACCEPT [297742:49115316]:DIVERT - [0:0]-A PREROUTING -p tcp -m socket -j DIVERT-A PREROUTING
-p tcp -m tcp --dport 80 -j TPROXY --on-port 8080 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1-A
PREROUTING -p tcp -m tcp --sport 80 -j MARK --set-xmark 0x1/0x1-A DIVERT -j MARK --set-xmark
0x1/0xffffffff-A DIVERT -j ACCEPTCOMMIT
Traffic_Layout output:
[root@ATS~]# traffic_layout -f#define BUILD_MACHINE "ATS"#define BUILD_PERSON "root"#define
BUILD_GROUP "root"#define BUILD_NUMBER ""#define TS_HAS_LIBZ 0#define TS_HAS_LZMA 0#define
TS_HAS_JEMALLOC 0#define TS_HAS_TCMALLOC 0#define TS_HAS_IN6_IS_ADDR_UNSPECIFIED 1#define
TS_HAS_BACKTRACE 1#define TS_HAS_PROFILER 0#define TS_USE_FAST_SDK 0#define TS_USE_DIAGS 1#define
TS_USE_EPOLL 1#define TS_USE_KQUEUE 0#define TS_USE_PORT 0#define TS_USE_POSIX_CAP 1#define
TS_USE_TPROXY 1#define TS_HAS_SO_MARK 1#define TS_HAS_SPDY 0#define TS_HAS_IP_TOS 1#define
TS_USE_HWLOC 1#define TS_USE_FREELIST 1#define TS_USE_TLS_NPN 1#define TS_USE_TLS_ALPN 0#define
TS_USE_TLS_SNI 1#define TS_USE_CERT_CB 0#define TS_USE_SET_RBIO 0#define TS_USE_TLS_ECKEY
1#define TS_USE_LINUX_NATIVE_AIO 0#define TS_HAS_SO_PEERCRED 1#define TS_USE_REMOTE_UNWINDING
0#define GETHOSTBYNAME_R_GLIBC2 1#define SIZEOF_VOID_POINTER 8#define TS_IP_TRANSPARENT 19#define
TS_HAS_128BIT_CAS 1#define TS_HAS_TESTS 1#define TS_HAS_WCCP 0#define TS_MAX_THREADS_IN_EACH_THREAD_TYPE
3072#define TS_MAX_NUMBER_EVENT_THREADS 4096#define TS_MAX_HOST_NAME_LEN 256#define TS_MAX_API_STATS
512#define SPLIT_DNS 1#define HTTP_CACHE 1#define TS_PKGSYSUSER "nobody"#define TS_PKGSYSGROUP
"nobody"
TCP Connection Status: netstat -tanp tcp        0      0 0.0.0.0:8080        
        0.0.0.0:*                   LISTEN      20404/traffic_manag
tcp        0      0 127.0.0.1:8083              0.0.0.0:*            
      LISTEN      20404/traffic_managtcp        0      0 127.0.0.1:8084    
         0.0.0.0:*                   LISTEN      20410/traffic_serve


Google websites on port 8080 on ATS server have SYN_RECV status. .


 Regards,Muhammad Faisal.
 

 
      From: James Peach <jpeach@apache.org>
 To: users@trafficserver.apache.org; Muhammad Faisal <faisalusuf@yahoo.com> 
 Sent: Sunday, January 24, 2016 5:16 AM
 Subject: Re: Setting up Transparent Proxy
   

> On Jan 23, 2016, at 1:34 PM, Muhammad Faisal <faisalusuf@yahoo.com> wrote:
> 
> Hi All,
> I tried to setup ATS using the guidelines at below links. With linux bridge interface
up the clients are able to browse internet but after configuring iptables, ebtables the port
80 traffic failed at client side. 
> 
> Nothing appearing on squid.log
> 
> Guidelines followed:
> http://apache-traffic-server.24303.n7.nabble.com/attachment/1638/0/ATS%20on%20Centos.txt
> 
> Please not my client are on different subnets while the proxy is inline bridged b/w gateway
and wireless gateway. Clients get real IP not private.
> 
> Please suggest how to debug the issue?

Please use the latest release (6.0), not 4.1. Use traffic_layout -f to verify that transparent
proxy support is enabled (look for TPROXY) in the output. Enable the "http_tproxy" debug tag
(see proxy.config.diags.debug.tags documentation) and check the logs for any clues.

Once you have verified that Traffic Server is ok, the most likely cause is network configuration.

>  
> 
> Regards, Muhammad Faisal.


   

Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message