[squid-users] Squid Intercept - From inside LAN with DNAT on router and docker on host

Guilherme Scaglia cadastros.scaglia at gmail.com
Wed Jul 20 19:42:27 UTC 2016


Hi.

I've being trying to setup a local squid server on my home LAN to cache
HTTP (not HTTPS) pages. I want to avoid any client configuration, so I'm
aiming for a transparent proxy - with squid in intercept mode.

In my network setup, the squid server is inside the LAN together with its
clients, and not siting between the clients and the router/modem like all
guides assume. Furthermore, requests originating from the same machine
where squid is running should be cached as well.

I've setup squid inside a docker container, on a fedora 24 image. The squid
version is 3.5.19. On squid.conf I've added a new http_port line, for port
8080 with the intercept flag:
http_port 8080 intercept

My router is a Mikrotik router board, so it's trivial to setup a DNAT rule
to redirect all TCP requests to the squid server. To avoid forward loops,
I've marked all packets originating from squid with DSCP 4 using iptables
rules, and excluded those from the DNAT rule on the router. I've tested
this by running wget requests from inside the docker container, and those
went by without any redirection.

Now comes the problem:
When any of the redirected requests reach squid, squid will reply instantly
with TCP_MISS/403. Since all traffic from the squid machine is marked with
a specific DSCP, it's also easy to see squid made no requests to the
outside world before giving that reply. Running tcpdump on the host machine
shows no other packets are being sent other than the 403 reply.

What's happening? why doesn't squid tries to fetch the request pages at all?


>From my understanding, my setup is roughly equivalent to
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat, only the
DNAT is happening outside the squid box; There is no reason this should
interfere with anything.

http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
seens to recommend routing without DNAT; This seems weird, as the only way
I can see this working is if the squid machine accepted packets to any
address as their own.


TL;DR:
When running squid in intercept mode, inside a docker container, routing
traffic to it through dst-nat rules on a external router, squid will reply
with '403 forbidden' to all requests. Access.log lists TCP_MISS/403, but
tcpdump indicates that squid is never trying to query the requested page at
all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160720/f1651a22/attachment.html>


More information about the squid-users mailing list