[squid-users] Squid Intercept - From inside LAN with DNAT on router and docker on host

Wed Jul 20 20:22:20 UTC 2016

Bruno,

Yes, there is; This was also my first guess, but according to similar
questions in forums and such, access.log lists such cases as TCP_DENIED/403
rather than TCP_MISS/403.

I've also tried removing the ACL entry after your message, and indeed the
message changes to TCP_DENIED/403. So it's unlikely for it to be an ACL
related issue.

Ty.

2016-07-20 17:08 GMT-03:00 Bruno de Paula Larini <
bruno.larini at riosoft.com.br>:

> Just a basic question: is there an ACL allowing your hosts in squid.conf?
> Squid will promptly answer with a 403 error otherwise.
>
>
>
> Em 20/07/2016 16:42, Guilherme Scaglia escreveu:
>
> Hi.
>
> I've being trying to setup a local squid server on my home LAN to cache
> HTTP (not HTTPS) pages. I want to avoid any client configuration, so I'm
> aiming for a transparent proxy - with squid in intercept mode.
>
> In my network setup, the squid server is inside the LAN together with its
> clients, and not siting between the clients and the router/modem like all
> guides assume. Furthermore, requests originating from the same machine
> where squid is running should be cached as well.
>
> I've setup squid inside a docker container, on a fedora 24 image. The
> squid version is 3.5.19. On squid.conf I've added a new http_port line, for
> port 8080 with the intercept flag:
> http_port 8080 intercept
>
> My router is a Mikrotik router board, so it's trivial to setup a DNAT rule
> to redirect all TCP requests to the squid server. To avoid forward loops,
> I've marked all packets originating from squid with DSCP 4 using iptables
> rules, and excluded those from the DNAT rule on the router. I've tested
> this by running wget requests from inside the docker container, and those
> went by without any redirection.
>
> Now comes the problem:
> When any of the redirected requests reach squid, squid will reply
> instantly with TCP_MISS/403. Since all traffic from the squid machine is
> marked with a specific DSCP, it's also easy to see squid made no requests
> to the outside world before giving that reply. Running tcpdump on the host
> machine shows no other packets are being sent other than the 403 reply.
>
> What's happening? why doesn't squid tries to fetch the request pages at
> all?
>
>
> From my understanding, my setup is roughly equivalent to
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat, only the
> DNAT is happening outside the squid box; There is no reason this should
> interfere with anything.
>
> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
> seens to recommend routing without DNAT; This seems weird, as the only way
> I can see this working is if the squid machine accepted packets to any
> address as their own.
>
>
> TL;DR:
> When running squid in intercept mode, inside a docker container, routing
> traffic to it through dst-nat rules on a external router, squid will reply
> with '403 forbidden' to all requests. Access.log lists TCP_MISS/403, but
> tcpdump indicates that squid is never trying to query the requested page at
> all.
>
>
>
> _______________________________________________
> squid-users mailing listsquid-users at lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160720/6971cd90/attachment-0001.html>