Re: [squid-users] Transparent proxy problem

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 22 Jun 2009 23:24:26 +1200

Adam Jackson wrote:
> Hi Squid users,
>
> I'm trying to set Squid up to function as a transparent proxy without
> success. I've got Squid 3 stable release 16. I'm running as root with
> the cache_effective_user as squid (the owner of the squid directories
> is squid).
>
> I've setup iptables so that port 80 traffic gets sent to 3128 where
> the client connects
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> Firefox reports that the proxy refused connection. tcpdump indicates
> that the proxy does receive some packets on 3128 and there are no
> other obstructive firewall rules. I don't know a great deal about
> iptables but should I also have a rule that sends requests received on
> 3128 out of port 80 to the requested web server? The rule above only
> redirects retrieved pages, if I understand correctly?
>

There are a minimum of 3 iptables rules for interception...

   http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

>
> Here is my squid.conf:
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> #client IP below
> acl localnet src 10.112.0.221/32 # RFC1918 possible internal network

This being the actual IP of the one and only host you are sending
requests from. right?

> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
>
> http_access allow localnet
>
> http_access deny all
>
> icp_access allow localnet
> icp_access deny all
>
> htcp_access allow localnet
> htcp_access allow all
>
> http_port 3128 transparent
>
> hierarchy_stoplist cgi-bin ?
>
> access_log /usr/local/squid/var/logs/access.log squid
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern (cgi-bin|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> cache_effective_user squid
>
> icp_port 3130
>
> coredump_dir /usr/local/squid/var/cache
>
>
>
> Thanks.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.8
Received on Mon Jun 22 2009 - 11:24:34 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 22 2009 - 12:00:03 MDT