[squid-users] squid-3.4.8 intercept

Amos Jeffries squid3 at treenet.co.nz
Wed Nov 19 05:18:19 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 19/11/2014 6:59 a.m., Frank wrote:
> Hi,
> 
> Since upgrading from 3.1.22 to 3.4.8 I have been unable to get the 
> transparent mode to accept my IP.  I am seeing permission denied in
> the transaction when I do a packet dump. I have read the
> documentation making changes for 3.4.8. I even allowed everything
> and no go.
> 
> I also compiled squid and here is my configure script:
> 
> ./configure \ --prefix=/usr/share/squid-3.4.8  \ 
> --libdir=/usr/lib${LIBDIRSUFFIX} \ --sysconfdir=/etc/squid \ 
> --localstatedir=/var/log/squid \ --datadir=/usr/share/squid-3.4.8
> \ --with-pidfile=/var/run/squid/squid.pid \ --mandir=/usr/man \ 
> --with-logdir=/var/log/squid \ --enable-snmp \ 
> --enable-ipf-transparent \ --enable-ipfw-transparent #
> --enable-auth="basic" \ #  --enable-basic-auth-helpers="NCSA" \ #
> --enable-linux-netfilter \ #  --enable-async-io \ #
> --disable-strict-error-checking
> 
> My machine the browser is on:
> 
> 66.159.32.31
> 
> The machine that is running squid:
> 
> 66.159.47.22
> 
> Here is my squid.conf
> 
> ===================================================================================
>
> 
> 
> # # Recommended minimum configuration: #
> 
> cache_effective_user  squid cache_effective_group  squid
> 
> # Example rule allowing access from your local networks. # Adapt to
> list your (internal) IP networks from where browsing # should be
> allowed acl localnet src all    # RFC1918 possible internal
> network

You are thus naming yourself the owner and operator with the *entire*
Internet as your LAN.


> #acl localnet src 66.159.32.0/24        # RFC1918 possible internal
> network #acl localnet src 108.161.167.0/24      # RFC1918 possible
> internal network #acl localnet src 66.159.47.0/24        # RFC1918
> possible internal network #acl localnet src 127.0.0.0/24  # RFC1918
> possible internal network
> 
> acl SSL_ports port 443 acl Safe_ports port 80          # http acl
> Safe_ports port 21          # ftp acl Safe_ports port 443         #
> https acl Safe_ports port 70          # gopher acl Safe_ports port
> 210         # wais acl Safe_ports port 1025-65535  # unregistered
> ports acl Safe_ports port 280         # http-mgmt acl Safe_ports
> port 488         # gss-http acl Safe_ports port 591         #
> filemaker acl Safe_ports port 777         # multiling http acl
> CONNECT method CONNECT
> 
> # # Recommended minimum Access Permission configuration: # # Deny
> requests to certain unsafe ports ########http_access deny
> !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports 
> ###########http_access deny CONNECT !SSL_ports
> 

Undo the above disabling. When accepting traffic from anywhere on the
Internt it becomes more critical than ever that you block malicious
port usage.


> # Only allow cachemgr access from localhost 
> ###############http_access allow localhost manager
> 
> ###############http_access deny manager
> 
> # We strongly recommend the following be uncommented to protect
> innocent # web applications running on the proxy server who think
> the only # one who can access services on "localhost" is a local
> user ############http_access deny to_localhost
> 
> # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS 
> # # Example rule allowing access from your local networks. # Adapt
> localnet in the ACL section to list your (internal) IP networks #
> from where browsing should be allowed
> 
> http_access allow localnet http_access allow localhost
> 
> # And finally deny all other access to this proxy #http_access deny
> all http_access allow all

You already allow localnet (aka 'all'). Undo this.

> 
> # Squid normally listens to port 3128 http_port 3128 http_port 3129
> intercept
> 
> always_direct allow all

This is irrelevant. You have no cache_peer setting to bypass.

<snip>
> ==================================================================================
>
> 
> 
> And I have configured my browser to use HTTP Proxy 66.159.47.22
> Port 3129

Boom!. There is the problem #1.

* "http_port 3128" is for explicitly configured browsers.

* "http_port 3129 intercept" is for NAT intercepted traffic.

You MUST NOT combine the two traffic types on one port. The
reject/deny you are seeing are just the tip of the iceberg of problems
when that happens.

> 
> I also setup iptables on my machine as follows and that didn't
> work either. Same permission denied.
> 
> 
> /sbin/iptables -t nat -A OUTPUT -p tcp -s 66.159.32.31 --dport 80
> -j DNAT --to 66.159.47.22:3129

DNAT/REDIRECT of traffic entering Squid *MUST* be performed on the
Squid machine itself.

Here is the config you shoudld be using:
 <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>


Use normal routing to get the traffic from your users machine(s) to
the proxy machine. There are some examples here:
 <http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute>

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUbCgJAAoJELJo5wb/XPRjvioIALkqGbHFtXCZpww3/i3IzuAC
PpcRaYAXSqJxKcdncoSxfBtHiig1OxyARdSDqJ/PWRLEuVBkOG/uL5fHD19gwRaN
6aOsO/IZu8+Fg7Fl+DLVkoVsOKeRj4guyJOBVyPAQXRyOEzpBe6N6WjCpDHVzh3c
iT5qVbHs9iHDZjy809OqUB5+bzL/PmgKeDrbnYpUlBKniehgP7LL86aim3tE9mc7
Kr00oltPEEGZ/gyuAp9zy2DiLYj+IYlE9NrkZE9/larCrZNLl4Vd4rRznxqhowQQ
6nJslTpOm63zg/f4UwGzOfCW7XdqZC0ZXunn04rQKbN/Z18teWvare0al/HUxyA=
=2boS
-----END PGP SIGNATURE-----

More information about the squid-users mailing list