Re: [squid-users] Interception proxy with DNAT using squid 3.2.7

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 06 Feb 2013 14:21:06 +1300

On 6/02/2013 11:43 a.m., Marcel Steinbach wrote:
> Hi,
>
> I want to setup an interception proxy with DNAT using squid 3.2.7.
>
> My squid.conf is
>
> acl trusted src x.x.x.x y.y.y.y
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow trusted
> http_access allow localhost
> http_access deny all
> http_port 0.0.0.0:8888
> http_port 0.0.0.0:8128 intercept
> hierarchy_stoplist cgi-bin ?

NP: hierarchy_stoplist is not useful for general use anymore. You should
remove this line unless you actually need it.

> debug_options ALL,1
> coredump_dir /var/spool/squid3
> cache deny all
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> request_header_access Proxy-Connection deny all
> request_header_access X-Forwarded-For deny all

NP: in 3.2 this hack is no longer needed.
  Use "forwarded_for delete" to strip XFF headers instead.
  Use "forwarded_for transparent" to pass external softwares XFF headers
without adding one for this proxy.

> request_header_access Connection deny all
> request_header_access Via deny all
> forwarded_for off
>
>
> I've set up the iptables and sysctl.conf as described in http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
>
> $ iptables -t nat --list-rules
> -P PREROUTING ACCEPT
> -P POSTROUTING ACCEPT
> -P OUTPUT ACCEPT
> -A PREROUTING -s 209.141.35.219/32 -p tcp -m tcp --dport 80 -j ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 209.141.35.219:8128
> -A POSTROUTING -j MASQUERADE
> $ iptables -t mangle --list-rules
> -P PREROUTING ACCEPT
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -P POSTROUTING ACCEPT
> -A PREROUTING -p tcp -m tcp --dport 8128 -j DROP

These rules look fine *if* they are on the Squid box itself. DNAT _must
not_ be configured on an external box.

>
> In my client network, I've set up a dnsmasq to redirect the hosts that I want to proxy to the squid box.
>
> However, when I call one of the hosts, e.g. www.example.org, I get
>
>
> ERROR
> The requested URL could not be retrieved
> The following error was encountered while trying to retrieve the URL: http://example.org/
> Connection to <squid-ip> failed.
> The system returned: (111) Connection refused

Because dnsmasq has told the client (and Squid) that the origin server
hosting this domain is the Squid box.
There is no web server running on the Squid box port 80.

Why are you using dnsmasq instead of policy routing?

Amos
Received on Wed Feb 06 2013 - 01:21:11 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 06 2013 - 12:00:03 MST