[squid-users] Squid: forward to another squid server with authentication

Amaury Viera Hernández avhernandez at uci.cu
Wed Dec 16 00:03:12 UTC 2015 

Hello everyone. This is a more detailed explanation about my trouble:

I have two network cards:

a shared Wifi card(wlp2s0) : 10.42.0.1
a Network card with access to my LAN(enp4s0): 10.8.77.1

In short, I am looking for a simple way to do the following (please give code samples if possible):

Set up and start a transparent proxy server on my computer (wifi card, say that squid will listen at 10.42.0.1:3128) that can capture all web requests from my phone, once the http request from phone comes to this proxy, it will forward it to the university proxy (say address is 10.0.0.1:8080 with user and password authentication)

Note: Is posible that one of the authentication methods of my proxy server will be ntlm

Now, more details to fully explain my situation:

In my university, authentication is needed to pass through a proxy so that we can connect to the internet. I normally enter my active directory username/password to authenticate when the pop up appears in the web browser

Now, I want to connect my phone to my hared wifi(10.42.0.1) and using the network card with access to the lan(10.8.77.1), forward de http request of my phone to the proxy server in the university( 10.0.0.1:8080 with user and password authentication) because some application of my phone require a direct connection, without proxy and without proxy authentication. So, I am planning to set up a transparent proxy on my laptop to catch all requests from my phone. Of course, I don't need to use the proxy for local domains (uci.cu in this case)

I'm using ubuntu 15.10 with squid3 (3.3.8)

I have this configuration in squid.conf (This is very functional for local domain(without proxy authentications, against the local domains, for example: intranet.uci.cu, but for internet domains I need to authenticate(cache_peer my proxy with the proxy of my university)) )

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl localdst dstdomain
acl mi_red src 10.42.0.0/24
http_access allow mi_red
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny all
http_port 10.42.0.1:3128 transparent
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320
cache_mem 512 MB
cache_dir ufs /var/spool/squid3 2048 16 256
cache_effective_user proxy
cache_effective_group proxy
half_closed_clients off
maximum_object_size 1024 KB
cache_swap_low 90
cache_swap_high 95
memory_pools off
error_directory /usr/share/squid3/errors/es/
access_log /var/log/squid3/access.log squid
cache_peer 10.0.0.1 parent 8080 0 no-query default no-digest login=avhernandez:MyPass
never_direct allow all


I'm using this firewall script

#!/bin/sh
# IP del servidor SQUID
SQUID_SERVER="10.42.0.1"
# Interface conectada a Internet
INTERNET="enp4s0"
# Interface interna
LAN_IN="wlp2s0"
# Puerto Squid
SQUID_PORT="3128"

# Limpia las reglas anteriores
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Carga los modulos IPTABLES para NAT e IP con soporte conntrack
modprobe ip_conntrack
modprobe ip_conntrack_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Politica de filtro por defecto
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Acceso ilimitado a loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Permite UDP, DNS y FTP pasivo
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# Establece el servidor como router para la red
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# acceso ilimiato a la LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# Redirige las peticiones de la red interna hacia el proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# Redirige la entrada al proxy
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

Best regards. Amaury.

More information about the squid-users mailing list