[squid-users] Transparent Proxy Configuration

James Lay jlay at slave-tothe-box.net
Tue Jun 30 20:26:33 UTC 2015 

On 2015-06-30 12:21 PM, Chris Greene wrote:
> I’ve had Squid running on Ubuntu for a few weeks.  I’d configured the
> proxy settings in the browsers.  Everything has been working well and
> I've been pleased with the results.  But now I need to make this a
> transparent proxy and I’m running into trouble & need some help.
> 
> I’ve got a Destination NAT rule set up on my router to forward TCP
> port 80 traffic to my proxy.  And I removed proxy configuration
> settings from the browsers.  After enabling this DNAT rule, I see
> requests being logged to /var/log/squid3/access.log.
> 
> Results when navigating to http://www.google.com:
> The following error was encountered while trying to retrieve the URL: /
>   Invalid URL
> Some aspect of the requested URL is incorrect.
> Some possible problems are:
> -Missing or incorrect access protocol (should be “http://” or similar)
> -Missing hostname
> -Illegal double-escape in the URL-Path
> -Illegal character in hostname; underscores are not allowed.
> 
> 
> Next, I added "intercept" to http_port like so:
>   "http_port  192.166.2.55:3128  intercept"
> Results: Access Denied.
> 
> My abbreviated /etc/squid3/squid.conf looks like this:
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access allow all
> 
> I'm new to Squid/Ubuntu, so I likely overlooked something.  What am I
> missing?  What troubleshooting step(s) should I take next?
> -DG
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

What's your DNAT line?  Assuming squid is on the box that you're running 
the DNAT line on...here's mine...redirect is all you need if the 
firewall/gateway is on the same box as squid:

$IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp --dport 
80 -j REDIRECT --to-port 3128

And parts of my squid.conf:

acl localnet src 192.168.1.0/24

acl Safe_ports port 80
acl Safe_ports port 443

acl CONNECT method CONNECT
acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"

http_access deny !Safe_ports
http_access deny CONNECT !SSL_Ports

http_access allow SSL_ports
http_access allow localnet
http_access deny all

http_port 3128 intercept


James

More information about the squid-users mailing list