squid transparent proxy fail

**and12345** · March 20th, 2009

hi all...
i've tried to setup my server as transparent proxy
the problem is the client have to set their browser to use proxy manually (port 3128),

here's my setting :
my ip 10.0.1.1 my server ip 10.0.0.10
eth0 --> INTERNET
eth1 --> LAN

my squid.conf :

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

acl apache rep_header Server ^Apache
acl Server src 10.0.0.1-10.0.0.5
acl Infotek src 10.0.1.1-10.0.1.7
acl DHCP src 10.0.9.1-10.0.9.100
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow !Server
http_access allow !Infotek
http_access deny all
broken_vary_encoding allow apache

refresh_pattern ^ftp: 10080 95% 241920 reload-into-ims override-lastmod
refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 98
reload_into_ims on
pipeline_prefetch on
vary_ignore_expire on

shutdown_lifetime 10 second

memory_pools off
icp_hit_stale on
query_icmp on

# Port
http_port 10.0.0.10:3128 transparent
always_direct allow all

cache_mem 6 MB
cache_swap_low 98
cache_swap_high 99
maximum_object_size 1024 KB
minimum_object_size 4 KB
maximum_object_size_in_memory 32 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
log_icp_queries off
emulate_httpd_log on

cache_dir diskd /hdd2/cache1 4200 10 256 Q1=72 Q2=64
cache_dir diskd /hdd2/cache2 3000 10 256 Q1=72 Q2=64

#---------------- administration info ------------
visible_hostname myhome
cache_effective_user proxy
cache_effective_group proxy

my IPTABLES :

# Generated by iptables-save v1.3.8 on Sat Mar 21 00:36:48 2009
*mangle

REROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

OSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Mar 21 00:36:48 2009
# Generated by iptables-save v1.3.8 on Sat Mar 21 00:36:48 2009
*nat
:INPUT - [0:0]

REROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

OSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
# LAN
-A INPUT -i eth1 -j ACCEPT
# loopback
-A INPUT -i lo -j ACCEPT
# existing connection
-A PREROUTING -i eth1 -j ACCEPT
# Forward HTTP connections to Squid proxy
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Sat Mar 21 00:36:48 2009
# Generated by iptables-save v1.3.8 on Sat Mar 21 00:36:48 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Mar 21 00:36:48 2009

**Dr Small** · March 20th, 2009

Just a question,
Are there 2 computers involved, such as one as a server running Squid, and a client computer trying to connect to the server's Squid proxy?

**eric_stewart** · April 26th, 2009

Originally Posted by and12345

hi all...
i've tried to setup my server as transparent proxy
the problem is the client have to set their browser to use proxy manually (port 3128),

here's my setting :
my ip 10.0.1.1 my server ip 10.0.0.10
eth0 --> INTERNET
eth1 --> LAN

my squid.conf :

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

acl apache rep_header Server ^Apache
acl Server src 10.0.0.1-10.0.0.5
acl Infotek src 10.0.1.1-10.0.1.7
acl DHCP src 10.0.9.1-10.0.9.100
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow !Server
http_access allow !Infotek
http_access deny all
broken_vary_encoding allow apache

refresh_pattern ^ftp: 10080 95% 241920 reload-into-ims override-lastmod
refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 98
reload_into_ims on
pipeline_prefetch on
vary_ignore_expire on

shutdown_lifetime 10 second

memory_pools off
icp_hit_stale on
query_icmp on

# Port
http_port 10.0.0.10:3128 transparent
always_direct allow all

cache_mem 6 MB
cache_swap_low 98
cache_swap_high 99
maximum_object_size 1024 KB
minimum_object_size 4 KB
maximum_object_size_in_memory 32 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
log_icp_queries off
emulate_httpd_log on

cache_dir diskd /hdd2/cache1 4200 10 256 Q1=72 Q2=64
cache_dir diskd /hdd2/cache2 3000 10 256 Q1=72 Q2=64

#---------------- administration info ------------
visible_hostname myhome
cache_effective_user proxy
cache_effective_group proxy

my IPTABLES :

# Generated by iptables-save v1.3.8 on Sat Mar 21 00:36:48 2009
*mangle

REROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

OSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Mar 21 00:36:48 2009
# Generated by iptables-save v1.3.8 on Sat Mar 21 00:36:48 2009
*nat
:INPUT - [0:0]

REROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

OSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
# LAN
-A INPUT -i eth1 -j ACCEPT
# loopback
-A INPUT -i lo -j ACCEPT
# existing connection
-A PREROUTING -i eth1 -j ACCEPT
# Forward HTTP connections to Squid proxy
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Sat Mar 21 00:36:48 2009
# Generated by iptables-save v1.3.8 on Sat Mar 21 00:36:48 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Mar 21 00:36:48 2009

Very frustrating isn't it? I have a mini how-to on my site for my setup which is a Cisco ASA firewall and a Squid 2.7 STABLE proxy server configured with WCCP2 for transparent proxy. Link is here: http://www.breezy.ca/?q=node/316 I'm using iptables for the redirection from the GRE tunnel (the tunnel is required!). I don't know/understand other firewall programs but a number of FAQs (cited in my linked article) helped somewhat.

/Eric

Thread: squid transparent proxy fail

Thread Tools

Display

squid transparent proxy fail

Re: squid transparent proxy fail

Re: squid transparent proxy fail

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions