Re: [squid-users] Re: How to make Squid 3.3.8 a transparent proxy?

From: Tobias Krais <tux-spam_at_design-to-use.de>
Date: Sat, 19 Apr 2014 21:35:03 +0200

Hi babajaga,

>> ....HIER_DIRECT/127.0.0.1 ...<
> Strange enough, squid forwards the request to 127.0.0.1 ....

Is there a possibility to tell squid stop forwarding.

> I am not sure, whether you need 2 ports to be specified:
> http_port 3129
> http_port 3128 intercept

I tried it, but it still does not work. Same error. Here my current
squid.conf:
-----%<-----
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# http_access deny !Safe_ports
# http_access deny CONNECT !SSL_ports
# http_access allow localhost manager
# http_access deny manager
# http_access allow localhost
# http_access deny all
http_access allow all
http_port 3127
http_port 3128 intercept
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
-----%<-----

> In your setup, you need special firwall rules, to avoid a loop:
> DG forwards to port 80, squid intercepts, forwards to port 80, NO INTERCEPT
> THEN (hopefully)
> So you should post firewall rules, as well.

Here it is:
-----%<-----
# Zuerst: direktes Verbinden zu Proxies verbieten
iptables -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner dansguardian
-j ACCEPT
iptables -A OUTPUT -p tcp --dport 3128 -j REJECT
iptables -A OUTPUT -p tcp --dport 8100 -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -p tcp --dport 8100 -j REJECT

# Fuer folgende Netzwerke braucht es keinen Proxy
iptables -t nat -A OUTPUT -d 10.0.0.0/8 -j ACCEPT
iptables -t nat -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
iptables -t nat -A OUTPUT -d 127.0.0.1 -j ACCEPT

# Aqbanking does not support Proxys: allow some HBCI IPs
iptables -A OUTPUT -d 193.110.133.32 -j ACCEPT
iptables -A OUTPUT -d 195.140.47.194 -j ACCEPT
iptables -A OUTPUT -d 195.145.106.77 -j ACCEPT
iptables -A OUTPUT -d 195.145.106.98 -j ACCEPT
iptables -A OUTPUT -d 212.184.124.125 -j ACCEPT
iptables -A OUTPUT -d 213.95.18.77 -j ACCEPT
iptables -A OUTPUT -d 213.95.18.98 -j ACCEPT
iptables -A OUTPUT -d 213.95.70.61 -j ACCEPT
iptables -A OUTPUT -d 217.115.75.100 -j ACCEPT

# Rules to Reject HTTPS without Dansguardian
iptables -A OUTPUT -p tcp --dport 443 -m owner --uid-owner proxy -j ACCEPT
iptables -A OUTPUT -p udp --dport 443 -m owner --uid-owner proxy -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j REJECT
iptables -A OUTPUT -p udp --dport 443 -j REJECT

# Port 80 Traffic automatisch auf Dansguardian legen
# Traffic von root akzeptieren
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j
ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy
-j ACCEPT
# ... alle anderen Benutzer auf Port 8080 umbiegen
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -p udp --dport 80 -j REDIRECT --to-port 8080
-----%<-----
But even without flushing all rules and setting the proxy manually -
same error...

> Otherwise:
> I always did it the other way:
> client --- (transparent) squid ---DG --web
> because
> 1) client does not need to specify proxy explicitly (in your setup, a MUST)
> 2) no need to cache content, later on blocked by DG
> 3) Not sure any more, whether DG supports parent proxy

With squid 3.1.20 it works perfectly. Thus I think it should work with
squid 3.3.8, too. Here the relevant part of my dansguardian.conf:
-----%<-----
# the port that DansGuardian listens to.
filterport = 8080

# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 127.0.0.1

# the port DansGuardian connects to proxy on
proxyport = 3128
-----%<-----
Dansguardian forwards correctly to squid. The dansguardian part works
(and blocks) perfectly.

> Then my setup matched the rules in
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

I read this link also. That is why I made the change from "transparent"
to "intercept".

My scenario is a bit different from that on the link: client and server
is the same machine.

> Only the line
> cache_peer 127.0.0.1 parent DG-port 0 no-query no-digest no-netdb-exchange
> to be added to squid.conf

Now I added this line at the end of the squid.conf file. But still no
change.

Do you have any other ideas?

Greetings,

Tobi
Received on Sat Apr 19 2014 - 19:35:11 MDT

This archive was generated by hypermail 2.2.0 : Sun Apr 20 2014 - 12:00:05 MDT