[squid-users] Traffic redirection to squid socket

Amos Jeffries squid3 at treenet.co.nz
Fri Jun 5 19:22:24 UTC 2015


On 6/06/2015 12:03 a.m., Edx gmail wrote:
> Hi,
> I am using squid on Openwrt(chaos calmer) and want to redirect all requests for 
> port 80 to 3128 port of squid  so that i can filter the traffic there on squid 
> box. I am using wpad for auto proxy and want non-proxy user's traffic for port 
> 80 to go to squid socket which is in my case 192.168.1.1:3128
> 
> I have included
> "http_port 3128 intercept" in squid.conf
> and also made rule in firewall
> config redirect
>          option src 'lan'
>          option src_dport '80'
>          option src_ip '!192.168.1.1'
>          option dest 'wan'
>          option dest_port '3128'
>          option dest_ip '192.168.1.1'
>          option proto 'tcp'
>          option target 'DNAT'
> 
> Using the above configuration i am able to full fill my purpose but if do so 
> then users with auto proxy in their browers ‎can't access internet at all while 
> in access.log it shows everything perfect.


You SHOULD NOT use port 3128 for receiving intercepted port 80 HTTP
origin traffic. It is registered officially for HTTP proxy traffic and
you cant mix the two traffic types.

Select a non-3128 port of your choice for Squid to listen for the
intercepted traffic. That will also allow easy firewalling without
showing port scanners that Squid is using it.
 <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat>

Also, note that the NAT operations MUST be done on the Squid machine.
Squid requires internal access to the kernel NAT sytsem records to
intercept safely, you cant do that across machines.


Amos


More information about the squid-users mailing list