Re: [squid-users] Transparent proxy problem

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 23 Jun 2009 11:41:11 +1200

On Mon, 22 Jun 2009 15:11:28 +0100, Adam Jackson <adamjacksonuk_at_gmail.com>
wrote:
> On Mon, Jun 22, 2009 at 12:24 PM, Amos Jeffries
> <squid3_at_treenet.co.nz>wrote:
>
>> Adam Jackson wrote:
>>
>>> Hi Squid users,
>>>
>>> I'm trying to set Squid up to function as a transparent proxy without
>>> success. I've got Squid 3 stable release 16. I'm running as root with
>>> the cache_effective_user as squid (the owner of the squid directories
>>> is squid).
>>>
>>> I've setup iptables so that port 80 traffic gets sent to 3128 where
>>> the client connects
>>>
>>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>>> --to-port 3128
>>>
>>> Firefox reports that the proxy refused connection. tcpdump indicates
>>> that the proxy does receive some packets on 3128 and there are no
>>> other obstructive firewall rules. I don't know a great deal about
>>> iptables but should I also have a rule that sends requests received on
>>> 3128 out of port 80 to the requested web server? The rule above only
>>> redirects retrieved pages, if I understand correctly?
>>>
>>>
>> There are a minimum of 3 iptables rules for interception...
>>
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
>>
>>
>>
>>> Here is my squid.conf:
>>>
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/32
>>> acl to_localhost dst 127.0.0.0/8
>>> #client IP below
>>> acl localnet src 10.112.0.221/32 # RFC1918 possible internal network
>>>
>>
>> This being the actual IP of the one and only host you are sending
>> requests
>> from. right?
>
> ** yes 1 and only host ***
>
>>
>>
>> acl SSL_ports port 443
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl CONNECT method CONNECT
>>>
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access deny to_localhost
>>>
>>> http_access allow localnet
>>>
>>> http_access deny all
>>>
>>> icp_access allow localnet
>>> icp_access deny all
>>>
>>> htcp_access allow localnet
>>> htcp_access allow all
>>>
>>> http_port 3128 transparent
>>>
>>> hierarchy_stoplist cgi-bin ?
>>>
>>> access_log /usr/local/squid/var/logs/access.log squid
>>>
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern (cgi-bin|\?) 0 0% 0
>>> refresh_pattern . 0 20% 4320
>>>
>>> cache_effective_user squid
>>>
>>> icp_port 3130
>>>
>>> coredump_dir /usr/local/squid/var/cache
>>>
>>>
>>>
>>> Thanks.
>>>
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
>> Current Beta Squid 3.1.0.8
>
>
> Hi Amos,
>
> Thanks for the reply. Following the iptables instructions you pointed to
> results in:
> Not found
>
> The requested URL /ConfigExamples/Intercept/LinuxRedirect was not found
on
> this server.
> I seem to remember reading that in older versions of squid this occurred
> if
> an option for dealing with headers wasn't active, but this has been
> superseded by 'transparent' keyword in squid 3.0?

Correct memory. But resolved in the very early releases.

Your config of:
... -j REDIRECT --to-port 3128
...
 http_port 3128 transparent

Should be working. (Though personally I'd use a different random port to
reduce normal proxy requests coming into it).

So it looks like the packets are getting to Squid. Where something has gone
completely awry :(

Amos
Received on Mon Jun 22 2009 - 23:41:15 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 23 2009 - 12:00:03 MDT