[squid-users] Transparent Squid Proxy Server

Amos Jeffries squid3 at treenet.co.nz
Tue Jun 2 14:34:59 UTC 2015 

On 3/06/2015 1:20 a.m., Klavs Klavsen wrote:
> I have this in my squid server for it to work:

The key words there are ... *in my Squid server*

Reet did it on the router. Which was the first mistake.

The router needs routing rules (not NAT) to deliver the clients packets
to Squid machine where the interception happens like below.

The second mistake was http_port configuration. Squid requires two
http_port lines. Port 3128 for regular proxy traffic, and another random
port for interception (our how-tos use 3129).


> *mangle
> :PREROUTING ACCEPT [190:618576]
> :INPUT ACCEPT [190:618576]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [163:41506]
> :POSTROUTING ACCEPT [166:42334]
> -A PREROUTING -d $myip/32 -p tcp -m multiport --dports 3129 -m comment
> --comment "002 drop squid direct traffic http - we only allow captured
> traffic" -j DROP
> -A PREROUTING -d $myip/32 -p tcp -m multiport --dports 3130 -m comment
> --comment "002 drop squid direct traffic https - we only allow captured
> traffic" -j DROP
> COMMIT


NOTE to Klavs:
  loading the "multiport" kernel module seems overkill for a single-port
match.

> # Completed on Wed Apr  1 10:28:22 2015
> # Generated by iptables-save v1.4.21 on Wed Apr  1 10:28:22 2015
> *nat
> :PREROUTING ACCEPT [1:36]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [30:2079]
> :POSTROUTING ACCEPT [30:2079]
> -A PREROUTING -s $myip/32 -p tcp -m multiport --dports 80 -m comment
> --comment "000 allow squid http - so its traffic does not get captured"
> -j ACCEPT
> -A PREROUTING -s $myip/32 -p tcp -m multiport --dports 443 -m comment
> --comment "000 allow squid https - so its traffic does not get captured"
> -j ACCEPT
> -A PREROUTING -p tcp -m multiport --dports 80 -m comment --comment "001
> capture http to squid" -j DNAT --to-destination $myip:3129
> -A PREROUTING -p tcp -m multiport --dports 443 -m comment --comment "001
> capture https to squid" -j DNAT --to-destination $myip:3130
> COMMIT
> # Completed on Wed Apr  1 10:28:22 2015
> # Generated by iptables-save v1.4.21 on Wed Apr  1 10:28:22 2015
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1:184]
> -A INPUT -p tcp -m multiport --ports 3129 -m comment --comment "000
> allow squid http intercept" -j ACCEPT
> -A INPUT -p tcp -m multiport --ports 3130 -m comment --comment "000
> allow squid https intercept" -j ACCEPT
> -A INPUT -p tcp -m multiport --ports 3128 -m comment --comment "000
> allow squid proxy" -j ACCEPT
> 
> and squid conf (mind you - squid 3.4)
> ssl_bump                       server-first all
> sslproxy_flags                 DONT_VERIFY_PEER
> sslcrtd_children               8 startup=1 idle=1
> sslcrtd_program                /usr/lib64/squid/ssl_crtd -s
> /etc/ssl/certs/cache/ -M 4MB
> https_port                     3130 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> key=/etc/squid/ca.private cert=/etc/squid/ca.cert
> shutdown_lifetime              3
> always_direct                  allow all
> sslproxy_cert_error            allow all
> http_port                      3129 intercept
> 

FYI: DONT_VERIFY_PEER, "always_direct allow all", and
"slproxy_cert_error allow all" have not been good ideas since 3.2.
dont-verify actually inhibits the Mimic functions which give
server-first bumping most of its usefulness.



> Reet Vyas wrote on 06/02/2015 02:31 PM:
>> I am trying to configure transparent squid proxy on ubuntu 14.04 Server
>> and squid 3.3 version I am using
>>
>> My Lan and Wan settings
>>
>> eth0      Link encap:Ethernet  HWaddr 00:1e:67:cf:59:74
>>            inet addr:116.72.*.*  Bcast:116.72.155.255  Mask:255.255.252.0
>>            inet6 addr: fe80::21e:67ff:fecf:5974/64 Scope:Link
>>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>            RX packets:238950 errors:0 dropped:0 overruns:0 frame:0
>>            TX packets:236104 errors:0 dropped:0 overruns:0 carrier:0
>>            collisions:0 txqueuelen:1000
>>            RX bytes:22219047 (22.2 MB)  TX bytes:17390502 (17.3 MB)
>>            Interrupt:16 Memory:d0a00000-d0a20000
>>
>> eth1      Link encap:Ethernet  HWaddr 00:1e:67:cf:59:75
>>            inet addr:192.168.0.200  Bcast:192.168.0.255 
>> Mask:255.255.255.0
>>            inet6 addr: fe80::21e:67ff:fecf:5975/64 Scope:Link
>>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>            RX packets:96965 errors:0 dropped:0 overruns:0 frame:0
>>            TX packets:11785 errors:0 dropped:0 overruns:0 carrier:0
>>            collisions:0 txqueuelen:1000
>>            RX bytes:10764615 (10.7 MB)  TX bytes:7151763 (7.1 MB)
>>            Interrupt:17 Memory:d0900000-d0920000


Er, thems not settings. Thems traffic statistics.

Not that it matters, but give these a try:
 ip addr show
 ip -4 route show
 ip -6 route show


>>
>> my squid.conf file
>>
>> acl mynet src 116.72.152.37 192.168.0.0/16 <http://192.168.0.0/16>    #
>> RFC1918 possible internal network
>> acl SSL_ports port 443
>> acl Safe_ports port 80        # http
>> acl Safe_ports port 21        # ftp
>> acl Safe_ports port 443        # https
>> acl Safe_ports port 70        # gopher
>> acl Safe_ports port 210        # wais
>> acl Safe_ports port 1025-65535    # unregistered ports
>> acl Safe_ports port 280        # http-mgmt
>> acl Safe_ports port 488        # gss-http
>> acl Safe_ports port 591        # filemaker
>> acl Safe_ports port 777        # multiling http
>> acl CONNECT method CONNECT
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access allow mynet
>> http_access allow localhost
>> http_access allow all
>> http_port 3128

One listening port setup to receive explicit proxy traffic (ie from a
maually configured browser).

... missing an intercept port.


>> cache_dir ufs /usr/local/cache 10000 16 256
>> coredump_dir /var/spool/squid3
>> refresh_pattern ^ftp:        1440    20%    10080
>> refresh_pattern ^gopher:    1440    0%    1440
>> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
>> refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
>> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600       90%     43200
>> refresh_pattern .        0    20%    4320
>>
>>
>> but when I use 192.168.0.200 in my client machine as gateway ...
>> internet is not working and I cant see logs in access.log
>>
>> But when I use this IP in my browser it is working and showing logs but
>> with my tplink router  gateway i.e 192.168.0.1.
>>
>> IPTable rules :
>> num  target     prot opt source               destination
>> 1    DNAT       tcp  --  anywhere             anywhere             tcp
>> dpt:http to:192.168.0.200:3128 <http://192.168.0.200:3128>
>> 2    REDIRECT   tcp  --  anywhere             anywhere             tcp
>> dpt:http redir ports 3128
>>
>> Chain INPUT (policy ACCEPT)
>> num  target     prot opt source               destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> num  target     prot opt source               destination
>>
>> Chain POSTROUTING (policy ACCEPT)
>> num  target     prot opt source               destination
>>
>>
>> Please tell me what I am missing in IPtables and squid3 configuration .
>> I tried both transparent as well as intercept option but I think I have
>> issue with iptables or may be configuration issue.
>>


see the wiki page(s):

One of these two configs on the router:
 <http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute>


This one on the Squid box:
 <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>

Amos

More information about the squid-users mailing list