Re: [squid-users] HTTP/HTTPS transparent proxy doesn't work from Amos Jeffries on 2014-08-12 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 13 Aug 2014 17:53:40 +1200

On 13/08/2014 4:33 p.m., agent_js03 wrote:
> Hello,
>
> I am having trouble with my squid setup. Here is exactly what I am trying to
> do: I am setting up a VPN server and I want all VPN traffic to be
> transparently proxied by squid with ssl bumping enabled. Right now when I
> try to do this I get an access denied page from the client.
>
> Here are lines from my squid.conf:
>
> =================================================
> acl localnet src 192.168.1.0/24 # local network
> acl localnet src 192.168.3.0/24 # vpn network
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 192.168.1.145:3127 intercept
> http_port 192.168.1.145:3128 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> key=/etc/squid3/ssl/private.pem cert=/etc/squid3/ssl/public.pem
> always_direct allow all
> ssl_bump allow all
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 5
>
> =================================================
>
> Here are my iptables rules:
>
> =================================================
> sysctl -w net.ipv4.ip_forward=1
> iptables -F
> iptables -t nat -F
>
> # transparent proxy for vpn
> iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j DNAT
> --to-destination 192.168.1.145:3127
> iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 443 -j DNAT
> --to-destination 192.168.1.145:3128
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> iptables --table nat --append POSTROUTING --out-interface ppp+ -j MASQUERADE
> iptables -I INPUT -s 192.168.3.0/24 -i ppp+ -j ACCEPT
> iptables --append FORWARD --in-interface eth0 -j ACCEPT
>
> =================================================
>
>
> When I connect to VPN and try to browse the web I get the following error in
> /etc/squid3/cache.log on the vpn server:
>
> 2014/08/12 21:21:02 kid1| ERROR: No forward-proxy ports configured.
> 2014/08/12 21:21:02 kid1| WARNING: Forwarding loop detected for:
> GET /Artwork/SN.png HTTP/1.1
> Host: www.squid-cache.org
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101
> Firefox/30.0
> Accept: image/png,image/*;q=0.8,*/*;q=0.5
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Referer: http://www.google.com/
> Via: 1.1 localhost (squid/3.2.11)
> X-Forwarded-For: 127.0.0.1
> Cache-Control: max-age=259200
> Connection: keep-alive
>
>
> 2014/08/12 21:21:02 kid1| ERROR: No forward-proxy ports configured.
>
>
>
> I am wondering about this erro "No forward-proxy ports configured." What do
> I need to change about my squid.conf that would allow me to do transparent
> proxying?

1) "ERROR: No forward-proxy ports configured."

This is getting to be a FAQ. I've added a wiki page about it.
http://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts

2) "WARNING: Forwarding loop detected for:"

This is a side effect of the above problem. Forwarding loop fetching the
error page artwork directly from a intercept port.

Amos
Received on Wed Aug 13 2014 - 05:53:59 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 13 2014 - 12:00:05 MDT