[squid-users] 2.6.STABLE3: how to set up transparent proxy

From: W. Tait Cyrus <tait.cyrus@dont-contact.us>
Date: Fri, 15 Sep 2006 22:50:50 -0600

OK. I've spent the past 4 hours searching old postings and squid
related web sites for this answer and seem to find things keep leading
in circles.

I have a Linux 2.6.17 firewall running squid and squidGuard. The
firewall is configured such that all outgoing http access gets NATed to
port 3128 (on the fw) where squid then runs squidGuard to filter out
"bad" sites. That is ALL squid is intended for is to run squidGuard on
all outgoing web accesses. I need this type of configuration since
updating the proxy in the web browsers is too easy to turn off (and gain
access to the "bad" sites) so I need something transparent.

I had been running squid squid-2.5.STABLE12 with little problems, but
did run into a problem with an app failing to update itself via http
(because squid got in the way) so I wanted to upgrade to 2.6.STABLE3
hoping the problem would be fixed. Unfortunately I can't get
2.6.STABLE3 configured to work the same way.

Many of the previous posting suggest:
- read the release notes:
    well, I've done that and they don't given any examples, only a word
description that
    an "option" can be used to do this. So it isn't clear at all what
the correct form of
    the options are to configure squid to be transparent since it
appears that multiple
    options are required and no where are they all together discussed
- read the FAQ
    again it says almost the same thing, or doesn't exist (one wiki was
still being written in regards
    to transparent proxy setup)
- or they suggest things which didn't work (or produced startup errors)

My previous configuration was basically:

httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

with iptables configured with:
iptables -t nat -A PREROUTING -p tcp -m tcp -s 10.0.0.0/8 --dport 80 -j
DNAT --to-destination 10.200.1.100:3128

So only outgoing port 80 were NAT'ed to 3128. All incoming port 80 are
dealt with separately (forwarded to the web server).

I've tried the following squid config (since that seemed to be what most
people suggested) without success:
   http_port 3128 transparent
   cache_peer localhost parent 3128 0 no-query originserver
but this mangles the URL adding port 3128 to the host. I.e. changes
    http://google.com to http://google.com:3128
Even tried variations on http_port and cache_peer.

So is there a simple example of how to set up a transparent proxy (local
cache)?

tia
    ++Tait
Received on Fri Sep 15 2006 - 22:51:01 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Oct 01 2006 - 12:00:03 MDT