Re: [squid-users] Transparent proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 30 Nov 2013 22:56:52 +1300

On 30/11/2013 10:26 a.m., Monah Baki wrote:
> Hi all,
>
>
> I'm trying to setup a transparent proxy squid 3.3.9 using the following URL:
>
>
> http://www.broexperts.com/2013/03/squid-as-transparent-proxy-on-centos-6-4/
>
> What's the difference between
>
> http_port 3128 transparent

The above expects all arriving traffic to be in HTTP port 80 origin
server format. Used for receving intercept-proxy traffic.

Also, the TCP level details are assumed to have passed through some form
of NAT system and need to be un-NAT'd before use. In Squid since 3.2 if
the original TCP details are not found in the NAT records some
restrictions are placed on what happens with the request and response.

> and
> http_port 3128
>

This one expects all arriving traffic to be an HTTP proxy format. Used
for receiving forward-proxy traffic.

>
> If I where to configure with http_port 3128 transparent and restart
> squid I get in my access.log file:
> ERROR: No forward-proxy ports configured.
>
> If I where to then browse, nothing happens.
>
> I am not running iptables by the way.

iptables or some other NAT system is mandatory for getting the traffic
to an intercept port. Squid is fetching the TCP details from the kernel
NAT records and using that as the preferred destination on outbound
connections.

As for the tutorial. It is broken in several major ways. Which for a
8-line example is remarkable in itself. Consider following the official
wiki configuration example instead
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

* The "transparent" option has been deprecated by "intercept" option
since 2010.

* Using DNAT rules without matching SNAT rules prevents TCP reply
packets working at all. Im not surprised half teh comments are about it
"not working".

* Having both REDIRECT and DNAT rules on the same box is overkill
anyway. DNAT is best for machines with a static IP address, REDIRECT for
machines with dynamically assigned IP address or if writing examples for
complete newbies.

* Using port 3128 for the intercept port is a very BAD idea. There are
active attacks in the wild scanning for open proxy ports and intercept
without firewall protection on the port is ripe for attack. It should be
a secret port which you can firewall away from all access beyond the
machine itself. Only the NAT firewall and Squid need to use it.

HTH
Amos
Received on Sat Nov 30 2013 - 09:57:02 MST

This archive was generated by hypermail 2.2.0 : Sat Nov 30 2013 - 12:00:05 MST