[squid-users] squid 3.2 intercept and upstream proxy not working from Davide Alberani on 2012-08-08 (squid-users)

From: Davide Alberani <davide.alberani_at_gmail.com>
Date: Wed, 8 Aug 2012 22:38:29 +0200

Hi,
I'm trying squid 3.2 (since I'll need some of the new features), but I'm
having troubles using it in intercept mode, when used along with an upstream
proxy.

Requests are forwarded to squid, but never sent to the upstream proxy;
using squid directly (setting it into the browser), the requests are forwarded
to the upstream.
Notice that I'm sure enough that my iptables rules are correct, and that
the upstream proxy is correctly configured (simply, there's no traffic to it,
when squid is used in transparent mode).
Using the same configuration with squid 3.1, also the requests handled
in intercept mode are forwarded to the upstream.

Any idea? Thanks!

These are the more meaningful parts of the configuration:

==========================================
http_port 172.30.0.16:18080 intercept
http_port 0.0.0.0:8080

server_persistent_connections off
half_closed_clients off

forwarded_for on

acl from_all src all
acl to_all dst all
acl from_localhost src 127.0.0.1/32
acl CONNECT method CONNECT
acl to_http_port port 80
acl to_proxy_port port 8080
acl to_internal_network dst 172.30.0.16

cache deny from_localhost
cache deny CONNECT
cache allow from_all

http_access allow from_localhost
http_access deny to_internal_network to_proxy_port
http_access deny from_all

http_reply_access allow from_localhost
http_reply_access deny from_all

visible_hostname off

# Dansguardian or an upstream proxy.
cache_peer 127.0.0.1 parent 9999 0 no-query no-digest
no-netdb-exchange name=default login=*:password
cache_peer_access default deny from_localhost
cache_peer_access default deny from_all

never_direct deny from_localhost
never_direct allow from_all
==========================================

When used in intercept mode, squid handles the request by itself:
==> /var/log/squid/cache.log <==
2012/08/06 13:01:46.477 kid1| forward.cc(273) fwdStart: 'http://www.cnn.com/'
2012/08/06 13:01:46.477 kid1| forward.cc(101) FwdState: Forwarding
client request local=157.166.255.18:80 remote=172.30.0.252:44700 FD 68
flags=33, url=http://www.cnn.com/
2012/08/06 13:01:46.478 kid1| forward.cc(160)
selectPeerForIntercepted: opening a new conn: local=0.0.0.0
remote=157.166.255.18:80 flags=1
2012/08/06 13:01:46.478 kid1| forward.cc(317) startConnectionOrFail:
http://www.cnn.com/
2012/08/06 13:01:46.478 kid1| fwdConnectStart: http://www.cnn.com/
2012/08/06 13:01:46.478 kid1| fwdConnectStart: got outgoing addr
0.0.0.0, tos 0, netfilter mark 0
2012/08/06 13:01:46.478 kid1| The AsyncCall fwdConnectDoneWrapper
constructed, this=0xb81354a8 [call5533]

On the other hand, when set in the browser, the upstream is also used:
Aug 6 13:04:25 myname (squid-1): 1344251065.036 301 172.30.0.252
TCP_MISS/200 2565 GET http://www.cnn.com/ - FIRSTUP_PARENT/127.0.0.1
text/html

-- 
Davide Alberani <davide.alberani_at_gmail.com>  [PGP KeyID: 0x465BFD47]
http://www.mimante.net/

Received on Wed Aug 08 2012 - 20:38:36 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 09 2012 - 12:00:03 MDT