[squid-users] Transparent HTTPs proxy with Squid 3.5

Amos Jeffries squid3 at treenet.co.nz
Tue Dec 13 22:50:48 UTC 2016

On 13/12/2016 10:15 p.m., Per Jessen wrote:
> Amos Jeffries wrote:
>> On 13/12/2016 5:11 a.m., Fomo Dong wrote:
>>> Hi all,
>>> For couple of days I'm trying to figure out how to get a transparent
>>> HTTPs proxy to work with Squid. What I'm trying to achieve is a proxy
>>> that accepts internet traffic from ports 80 & 443, routes them
>>> through Squid to Privoxy and finally through Tor and returns back the
>>> data. So essentially I want to "automatically" revert some traffic
>>> through Tor without the user needing to add a proxy to their
>>> connection.
>>> I know how to setup the Privoxy and Tor part, but I'm struggling with
>>> the Squid & IP tables configuration.
>> The first thing to be aware of is that Squid obeys the HTTPS
>> requirement that traffic received on TLS connection also goes out one.
>> So your Privoxy must be capable of receiving TLS connections from
>> Squid.
>> If Privoxy cannot do TLS like that you could have Squid do the privacy
>> filtering. But then Tor would face the same requirement.
>> Second thing I want to make clear is that a *transparent* proxy is the
>> opposite of anonyizing proxy. A transparent proxy hides *itself* while
>> _revealing_ the client.  An anonymous proxy reveals itself, while
>> hiding the client(s). They are almost direct opposites in behaviour.
>> Anyhow, what you meant by the word "transparent" turns out to actually
>> be "intercepting". 
> We also run a "transparent" proxy, but it is transparent for the
> _client_.  The main office router simply sends an ICMP redirect to
> point clients to the proxy. 

Uh, ICMP redirect informs the client that its not contacting the
original server. It also implies there are no NAT records for the proxy
to lookup to resolve the ORIGINAL_DST address.

How does that work with the 'transparent' mode flag on your http_port
line(s)? Not well I suspect.

It is people calling non-transparent things like that "transparent"
which has led to Fomo's problem of the configuration being half *actual*
Transparent Proxy (TPROXY, 'tproxy' mode) and half NAT interception
(REDIRECT, 'intercept' mode).


More information about the squid-users mailing list