Miuku Question;
Is there a specific reason you’re doing this on Squid as opposed to say Varnish - I’m assuming you wish to setup a load balancing/caching frontend server for web servers in the back?
The goal is to allow external testers and reviewers access to a prototyping and testing environment, including the bug tracking software, as well as a couple of private web sites. For convenience, these are running in the Internal zone. It would certainly be an option to move them into the DMZ, but not preferable.
Using a bastion host / reverse proxy allows the internal servers to move around as necessary by setting the name associations via the Squid configuration.
AdaLovelace Test every interface with tcpdump.
- Does the client send the “SYN”?
- Does the proxy get the “SYN” on the right interface (eth0 or eth1)?
- Does the proxy transfer the request to the right interface? (spoofing seperate on every interface!)
If you wouldn’t get the transfer, look after the log files in /var/log/squid/… .
If you can’t find any informations about that there, look after the routing between both subnets.
I have been running tcpdump almost continuously, which is how I see the traffic from the internal and external clients. I use the following command:
tcpdump -i 2 ‘tcp port 80’
– 2 is the correct interface for the DMZ, as verified by ifconfig
– squid is configured to listen on port 80. The first two lines of squid.conf:
>http_port 80 accel defaultsite=webhost.mydomaindottld
>#
>forwarded_for on # so that the true requestor shows up in the server logs
Also, note that to rule out Squid, I started Apache in its place, listening on port 80, and the same behavior occurs, that is, the SYN packets from the external address are dropped in the bit bucket.
– I do not know for sure that the external client is sending the SYN packets. That is a valid question. It is a Win7Pro laptop connected to a Comcast public hotspot (Comcast’s latest cable modems include the “feature” that they are a public hotspot, but that’s a whole separate discussion and not openSuSE specific). I have not (yet) installed network diagnostic software on the Win7 client, so traceroute is not available. The arrival of the external SYN packets corresponds to when I ask Firefox to connect to the site, and the source IP as reported by tcpdump maps to a Comcast address originating in Philadelphia, which is appropriate; I am about 15 miles west of the city. Without some diagnostics (not even traceroute is there!) it’s hard to be sure, but a ping from the external client does get a response from the proper public IP address.
– Once the packets arrive on the proxy host, I don’t see where subnet routing means anything. For diagnostics I have completely disabled the firewall on the proxy host; iptables -L lists no rules at all. The firewall is one of the first places I look for these sorts of problems (my experience on 13.1 is that the first update after a fresh build resets all the interfaces to the External zone), but it is turned off!!
What had me puzzled initially was that the Squid logs (access, and cache with debug set to 6) showed no evidence of the SYN connection requests. Requests from the internal clients were properly logged, including denials due to ACL rules. So as to eliminate the Squid ACL rules as the problem, I tried running Apache on the same host (with Squid stopped, obviously). Apache behaves the same as Squid: it responds properly to any requests coming from the Internal zone (these do arrive on the DMZ interface) but the SYN packets from the external world are ignored. The fact that two different servers have the same behavior makes me conclude that it’s not the servers. If I could point to Squid, I would have posted in the squid-cache forums rather than here in openSuSE, but I don’t think it’s fair to ask them to diagnose problems not related to Squid.
I have been mucking with IP and Linux for twenty years beginning by using the Slackware distro to build custom kernels for firewalls and bastion hosts, then taking up with SuSE ~2001 because it would install cleanly on the Compaq M700 laptops we were using at work. But I am not an IP expert. I have turned over every rock I can think of, and the answer is probably very obvious to somebody who works with the IP stack on a regular basis. I can certainly post the output of ifconfig and tcpdump just to be sure that I am reading it correctly.
This was working six or eight weeks ago. External users were able to connect through the reverse proxy to bugzilla, login, create a sample bug and everybody received the notification e-mail. It was all good. Then, because of firewall problems, Comcast did an update to the modem. Over those last six weeks I have acquired some decent firewalls and routers (SonicWall and Cisco), so I am sore tempted to remove the Comcast modem from the configuration. I will first install IP diagnostic tools on the Win7 external client.
In summary, I may be crazy, but this is really making me nuts!