Re: [squid-users] problem with squid 3.2 as transaparent proxy from Amos Jeffries on 2012-09-25 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 26 Sep 2012 13:42:14 +1200

On 26.09.2012 08:02, Giovanni Rosini wrote:
> Hi everybody,
> on my server i have Linux Centos 5.5 (kernel 2.6.18) and squid
> 3.2.0.12.
> I installed squid from source, using –enable-linux-netfilter option
> in
> configure command.
> As a normal proxy (enabled from browser) it works fine, but it
> doesn’t work
> in transparent mode.

Please upgrade to 3.2.1. Since you build from source it should be just
a matter of re-building from the newer sources and installing.

That will resolve the issues inside Squid which you are likely
encountering. There are possibly other issues in the network
configuration which also need to be fixed as well...

> Clients connect via wireless to a Linksys WRT54GL router (with
> DD-WRT),
> where packets are forwarded to the proxy server.

Forwarded or routed? the difference is critical.

Squid-3.2 is now *actually* performing "transparent" operations on
intercepted traffic (older Squid were doing some ALG translation more
akin to NAT). Right down to preserving packet destination IP where the
client was trying to contact. If your device is using NAT/NAPT (aka
'port forwarding') to re-write the packet destination to be Squid
IP:port then the needed TCP details are lost and Squid outgoing
connection will have problems using them.

The golden rule:
* NAT (if any) to push packets into Squid *MUST* be done on the Squid
box itself. Not externally.

This config example was written specifically for OpenWRT and similar
Linux devices in your situation:

http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

Please ensure your WRT device is configured to MARK and route packets
to Squid like above config. Do not NAT or port forward on that device.
The Squid box itself is where the NAT rules get configured.

NP: that CentOS kernel is too old to support TPROXYv4 but if you
upgrade you have the option of

> Until now, my system has been working with SQUID-2.6.STABLE21 without
> any
> problems.
> Now, if i use the transparent option in http_port tag (as i did until
> yesterday) browser tell me that connection is canceled,
> if i don’t specify that option, squid tell me “invalid url”.
> Can anyone help me?
>
> Thanks
> Giovanni
>

Amos
Received on Wed Sep 26 2012 - 01:42:22 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 26 2012 - 12:00:04 MDT