Re: [squid-users] squid transparent proxy + parent proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 28 May 2011 04:00:22 +1200

On 28/05/11 02:54, Phillip Evans wrote:
> Hi,
>
> I've tried searching the mailing list and google but I can't seem to
> find a solution.
>
> I'm trying to set-up a squid proxy server (squid V3.1) in our
> organisation for external users.
>
> I've configured a Linux box (fedora 14) with 2 NIC, the first (eth0 IP
> address 172.20.104.148 - gateway 172.20.104.1) goes to the outside
> world and the other (eth1 - address/gateway 192.168.0.1) connects to
> an internal LAN. There is a DHCP server running on eth1, and that all
> works fine.
>
> One the other end of eth0 is a proxy server that I know nothing about
> other than the IP and port number. I've configured squid with a parent
> cache, the ACL to allow the LAN addresses through, it seems to be
> working because if i connect a client machine to eth1 and enter the
> proxy details for the squid box it will browse the internet with no
> problems.

You just said this was for "for external users.". Did you mean
internal/LAN users? The requirements and limits are very different.

>
> However, I cannot get the squid box to run as a transparent proxy (if
> I remove the proxy details from the client it ceases to work).
>
> I added the 'http_port 3128 transparent' to the squid.conf file but no
> joy, I read this command has now been depreciated and to use the
> 'http_port 3128 intercept' command instead, again, this doesn't work.

Correct. All it does is tell Squid what type of traffic is going to
arrive and to contact the NAT table for further information about new
connections.

Also, it is unsafe to set the flags on port 3128. There are at least two
popular softwares around which scan port 80 and 3128 for transparent
proxies to abuse. Pick a random port for Squid and consider it a secret
for use only between squid and iptables. The main 3128 can stay open for
management or normal proxy traffic if you like.

<snip failures>
> None of these work (obviously)
>
> Can anyone help?

  http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
OR
  http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

Amos 

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1
Received on Fri May 27 2011 - 16:00:32 MDT

This archive was generated by hypermail 2.2.0 : Fri May 27 2011 - 12:00:03 MDT