Squid in jail

B

bbzz

After setting up DNS in jail, I'm having harder time with squid31.

What I get in
# tail -f /var/log/squid/access.log
is
Code: 
2012/04/20 16:14:14| IpIntercept.cc(316) PfInterception: PF open failed: (13) Permission denied
2012/04/20 16:14:28| IpIntercept.cc(316) PfInterception: PF open failed: (13) Permission denied

Can someone point me in direction of what needs to be done after:

1. Squid is installed and configured to run correctly in jail
2. Host pf is redirecting www traffic to jailed port 3128

I couldn't find resource online how to deal with pf and squid in jail just random individual problems.

Thanks.
 
Put this in /etc/devfs.conf:
Code: 
# Allow Squid read access to /dev/pf
own	pf	root:squid
perm    pf      0640
and run [cmd=]service devfs restart[/cmd]

This works in a non-jailed environment, so ymmv.
 
I played around with this a bit. Above suggestion doesn't work - squid is not running on host so above won't even parse. In jail it doesn't make difference.

I'm not sure there is need for transparent pf service since I am already redirecting traffic to jail. It seems to work, but there is just huge amount of "TCP_MISS" logs. Occasionally there is a hit, etc, but, shouldn't things like youtube videos get cached?

Also, following script I use for checking gmail doesn't work:
Code: 
#!/usr/local/bin/python

import sys
import urllib             
import feedparser         
from textwrap import wrap

_URL = "https://mail.google.com/gmail/feed/atom"

uname = sys.argv[1]
password = sys.argv[2]

urllib.FancyURLopener.prompt_user_passwd = lambda self, host, realm: (uname, password)

def auth():
    '''The method to do HTTPBasicAuthentication'''
    opener = urllib.FancyURLopener()
    f = opener.open(_URL)
    feed = f.read()
    return feed

def readmail(feed):
    '''Parse the Atom feed and print a summary'''
    atom = feedparser.parse(feed)
    print '%s new' % len(atom.entries)

if __name__ == "__main__":
    f = auth()  
    readmail(f)

Basically, what I get is this:
Code: 
Traceback (most recent call last):
  File "/home/bbzz/.scripts/check_gmail", line 43, in <module>
    f = auth()  # Do auth and then get the feed
  File "/home/bbzz/.scripts/check_gmail", line 33, in auth
    f = opener.open(_URL)
  File "/usr/local/lib/python2.7/urllib.py", line 205, in open
    return getattr(self, name)(url)
  File "/usr/local/lib/python2.7/urllib.py", line 435, in open_https
    h.endheaders(data)
  File "/usr/local/lib/python2.7/httplib.py", line 951, in endheaders
    self._send_output(message_body)
  File "/usr/local/lib/python2.7/httplib.py", line 811, in _send_output
    self.send(msg)
  File "/usr/local/lib/python2.7/httplib.py", line 773, in send
    self.connect()
  File "/usr/local/lib/python2.7/httplib.py", line 1158, in connect
    self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
  File "/usr/local/lib/python2.7/ssl.py", line 372, in wrap_socket
    ciphers=ciphers)
  File "/usr/local/lib/python2.7/ssl.py", line 134, in __init__
    self.do_handshake()
  File "/usr/local/lib/python2.7/ssl.py", line 296, in do_handshake
    self._sslobj.do_handshake()
IOError: [Errno socket error] [Errno 1] _ssl.c:503: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Log on squid shows:
Code: 
1334954618.636      0 192.168.0.2 NONE/400 3646 NONE error:invalid-request - NONE/- text/html
1334954713.752      0 192.168.0.2 NONE/400 3646 NONE error:invalid-request - NONE/- text/html
Is there an option to make this work?

Other than that, this has been an exercise in hell. I'm not sure if it works since there is just huge number of misses. I remember setting up this before with easy, but it wasn't jailed.
 
Looks like I can't access gmail at all through squid with browser, which is why above script won't work, I guess.
 
Update; I managed to get transparent pf working in jail, but I don't think it matters. Like I said, traffic is already getting redirected on host pf. I don't see difference when compiling with or without 'transparent pf' option.

The problem I have remains, I can't access certain pages, such as gmail, through cache server.
Can this be fixed?
 
You're probably referring to https traffic. This cannot be redirected, as it would break the end-to-end encryption (a.k.a. man-in-the-middle attack). You need to let traffic to destination port 443 through.
 
I figured it is something like that. However not all https pages are 'broken'.
So, only request on port 80 should be technically redirected to jail?

Thank again.
 
You must log in or register to reply here.
Back
Top