[squid-users] Transparent Proxy
John Sayce
jsayce at asdlighting.com
Wed Sep 7 08:23:02 UTC 2016
I'm trying to set up a transparent proxy but I'm fairly sure I'm missing something.
I've followed the instructions on the juniper website along with a couple of other blogs as per:
https://damn.technology/using-squid-juniper-pbr-transparent-proxy
http://davehope.co.uk/Blog/implementing-pbr-and-squid3-as-a-transparent-proxy/
https://kb.juniper.net/InfoCenter/index?id=KB24139&page=content&actp=search
I have a juniper SSG320 firewall setup with policy based routing. For my chosen subnet this is configured to forward traffic on port 80 to the squid server.
The traffic from my firewall is forwarded to squid. This appears to be happening.
The client starts with a syn packet which is forwarded from the firewall to the squid server. The packet is forwarded to the squid server with the source IP address remaining that of the client. The problem is that the squid server then responds to the client as itself rather than spoofing the address that the client originally requested. So the ACK packet the client receives is from the squid server rather than the remote webserver the client made a request to, which isn't going to work.
So should my firewall be doing something more, or is it my squid server that's not performing as expected?
In addition to forwarding the packet to squid I can enable source translation on the firewall (which isn't in the guides I mentioned) so the source address of the packet sent to squid comes from the firewall, squid then responds to the firewall, which in turn translates the packet back to the client. This configuration works, however the access log stores the address of the firewall rather than the address of the client. Is this how it's meant to work, or am I missing something?
Thanks
More information about the squid-users
mailing list