[squid-users] Re: HTTP/HTTPS transparent proxy doesn't work from agent

From: agent_js03 <justinmschw_at_gmail.com>
Date: Fri, 15 Aug 2014 04:32:25 -0700 (PDT)

I upgraded to squid 3.3.8 with the same config and iptables and everything
now works. I guess intercept just doesn't work with squid 3.2. However now I
am having a different issue. I am running a content filter that interfaces
with squid through ICAP. I have a blockpage running on the same box at
192.168.1.145:8089 (192.168.1.145 is the IP of the proxy server). If I try
to access blocked content from my client, then the ICAP will do a reqmod and
change the url to:
http://192.168.1.145:8089/blockpage.php?arg1=val1&arg2=val2
etc. This worked flawlessly when I had my browser configured to point
directly to the proxy server. But now I am using transparent proxying I have
different behavior: if I access blocked content, on the client side I get a
"connection reset by peer" error (104) and on the server in the access.log I
get a TCP_MISS/502 line. I am wondering why this would be any different with
transparent proxying. Based on my configuration, do you think this is a
problem with my access control in squid.conf or is it a problem with
iptables? Here is my configuration again:

*squid.conf*
acl localnet src 192.168.1.0/24 # local network
acl localnet src 192.168.3.0/24 # vpn network
http_access allow localnet
http_access allow localhost
http_access none all
http_port 3128
http_port 3129 intercept
http_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB key=/etc/squid3/ssl/private.pem
cert=/etc/squid3/ssl/public.pem
always_direct allow all
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

*iptables*
sysctl -w net.ipv4.ip_forward=1
iptables -F
iptables -t nat -F

# transparent proxy for vpn
iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j REDIRECT
--to-ports 192.168.1.145:3128
iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 443 -j REDIRECT
--to-ports 3128

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables --table nat --append POSTROUTING --out-interface ppp+ -j MASQUERADE
iptables -I INPUT -s 192.168.3.0/24 -i ppp+ -j ACCEPT
iptables --append FORWARD --in-interface eth0 -j ACCEPT

Thanks for all the help.

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTP-HTTPS-transparent-proxy-doesn-t-work-tp4667193p4667229.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Received on Fri Aug 15 2014 - 11:32:26 MDT

This archive was generated by hypermail 2.2.0 : Sun Aug 17 2014 - 12:00:06 MDT