[squid-users] squid intercept mode fo http & https

Antony Stone Antony.Stone at squid.open.source.it
Sat Nov 21 16:21:52 UTC 2015 

On Saturday 21 November 2015 at 17:02:56, Ahmad Alzaeem wrote:

> Hi Guys I have a squid runnng in intercept mode

Okay...

> I have a dns to resolve all the websites to the ip of proxy

Which instructions / documentation did you follow saying that was a good idea?

> I want the proxy to be able to operate normally

Then, set up your DNS server normally as well :)

> and don't look @ the destination ip since all packet will have the
> destination ip as the ip of proxy

I think you have the wrong idea of what "intercept mode" means.

> I want  the proxy to operate based on the domain name.

So, just route the packets to the proxy (with the *correct* destination IP 
address) as per all the guidelines you can find on the Internet showing how to 
do this, and Squid will do the rest.

> So far I have the squid listenting on port 11611 interept mode and I have
> traffic 80 , 443 hit the linux proxy server

You need to perform NAT on the same box as Squid is running on, to redirect 
packets from their original IP address, to the IP of Squid, and it will work.

Undo the weirdness you've created with DNS.

> Now I cant open either http or https .

I can only say "I'm not surprised."  You've told the clients to connect to 
Squid as a web server.  Squid finds its own IP as the destination, and gives 
up.

> Squid.conf :
> 
> dns_nameservers 8.8.8.8

I strongly recommend you to set up a local caching name server, and point both 
your clients, and Squid, at it.

> visible_hostname seerver.server

Have you cut and pasted this configuration file, or (mis-)typed it?

> acl localnet src xxx.0.0/16 xxx.0.0/16 192.168.0.0/16    # RFC1918 possible
> internal network

You have public IPs on your internal network?

Unusual, but plausible...  I'm just checking to make sure I understand your 
network correctly.

> # Squid normally listens to port 3128
> 
> #http_port 443 intercept
> 
> http_port 10.159.144.206:11611 intercept

So, the Squid server has a private IP - this makes it all the more unusual 
that you seem to have public IPs on your internal network.

> iptables settings :
> 
> iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT
> --to-destination 10.159.144.206:11611

That looks fine for a standard intercept setup.

> any help ?????

Undo your DNS strangeness and let us know if it starts working.


Regards,


Antony.

-- 
"There is no reason for any individual to have a computer in their home."

 - Ken Olsen, President of Digital Equipment Corporation (DEC, later consumed 
by Compaq, later merged with HP)

                                                   Please reply to the list;
                                                         please *don't* CC me.

More information about the squid-users mailing list