[squid-users] Transparent Proxy in AWS

Tue Nov 29 03:23:35 UTC 2016

On 29/11/2016 10:33 a.m., kevin2345 wrote:
> Hello, new to squid here.  I'm trying to setup a transparent proxy with squid
> for my internal hosts to reach outbound destinations.  We are hosted in AWS
> with a VPC setup and multiple subnets.  The squid host is in a "public"
> subnet that has outbound access, while the other subnets are "private" with
> access to the hosts in the public subnet.  The end goal is to have all
> outbound traffic in the VPC routed to the squid host before going to the
> internet.  By doing this, we'll have a central "choke point" to manage in

Hint: In networking that is called a _gateway_ or router.

> terms of access/auditing.  We want to accomplish this with iptables rules on
> the clients (eventually managed with config management) that direct outbound
> traffic (http/https for example) to the squid host.

So long as you dont use DNAT or REDIRECT. Any form of routing or tunnel, 
or setting the clients gateway to be the Squid machine should be okay.

> I've tried setting up the squid host with Ubuntu 14.04 and squid 3.3.8.  I
> am testing http access with a curl to ifconfig.co (which would return the
> external IP address),

  ... but apparently does not.

>   but I'm running into 403/access denied errors.  See
> below for log excerpts and the config files.  "172.18.128.58" is my squid
> proxy host and "172.18.145.88" is my test client.

Not any old "403 Access Denied" but Forwarding Loop denials.

> squid.conf:
> --------
> http_port 3128 intercept
> http_port 80
>
> acl localnet src 172.18.0.0/16
> acl localhost src 127.0.0.1
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl CONNECT method CONNECT
> follow_x_forwarded_for allow localhost
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access allow all
>
> cache_dir ufs /var/spool/squid3 100 16 256
> coredump_dir /var/spool/squid3
>
> visible_hostname squidhost
>
> debug_options ALL,1 33,2 28,9
> --------
>
>
> squid logs:
> --------
> ==> /var/log/squid3/cache.log <==
> 2016/11/28 19:26:45.119| WARNING: Forwarding loop detected for:
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Accept: */*
> Via: 1.1 squidhost (squid/3.3.8)
> X-Forwarded-For: 172.18.145.88
> Cache-Control: max-age=259200
> Connection: keep-alive
> Host: ifconfig.co
>

>
> ==> /var/log/squid3/access.log <==
> 1480361205.120      0 172.18.128.58 TCP_MISS/403 3629 GET
> http://ifconfig.co/ - HIER_NONE/- text/html
> 1480361205.120      1 172.18.145.88 TCP_MISS/403 3728 GET
> http://ifconfig.co/ - HIER_DIRECT/172.18.128.58 text/html
>
> ==> /var/log/squid3/cache.log <==
>
> ==> /var/log/squid3/access.log <==
>
> ==> /var/log/squid3/cache.log <==
> 2016/11/28 19:26:45.123| client_side.cc(777) swanSong:
> local=172.18.128.58:3128 remote=172.18.145.88:36030 flags=33
> --------
>
>
> iptables rules on test client:
> --------
> ubuntu at ip-172-18-145-88:~$ sudo iptables -t nat -nvL
> Chain PREROUTING (policy ACCEPT 7 packets, 448 bytes)
>   pkts bytes target     prot opt in     out     source
> destination
>
> Chain INPUT (policy ACCEPT 7 packets, 448 bytes)
>   pkts bytes target     prot opt in     out     source
> destination
>
> Chain OUTPUT (policy ACCEPT 624 packets, 125K bytes)
>   pkts bytes target     prot opt in     out     source
> destination
>    442 26520 DNAT       tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:80 to:172.18.128.58:3128

The DNAT on the client informs Squid that the real IP of the server is 
172.18.128.58. Squid will send the request upstream to that IP ...

Please follow the Config Example 
<http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat>, in 
particular the first NOTE about where the configuration needs to be 
done. Hint: not on the client.

Amos