[squid-users] Squid Transparent/intercept Issues

Antony Stone Antony.Stone at squid.open.source.it
Tue Mar 21 11:12:01 UTC 2017 

On Tuesday 21 March 2017 at 12:00:05, christian brendan wrote:

> > Today's Topics:
> >    1. Re: Squid Transparent/intercept Issues (Antony Stone)
> >    2. Re: SMP and AUFS (Matus UHLAR - fantomas)
> >    3. Re: SMP and AUFS (Alex Rousskov)
> >    4. Re: squid workers question (Alex Rousskov)
> >    5. Re: squid workers question (Matus UHLAR - fantomas)
> >    6. Re: SSL Bump issues (Alex Rousskov)
> >    7. blocking or allowing specific youtube videos (Sohan Wijetunga)

Please edit your reply when responding to a digest email, deleting everything 
not specific to your question.

> > Date: Mon, 20 Mar 2017 16:56:17 +0100
> > From: Antony Stone
> > To: squid-users at lists.squid-cache.org
> > Subject: Re: [squid-users] Squid Transparent/intercept Issues
> > 
> > On Monday 20 March 2017 at 16:26:40, christian brendan wrote:
> > > Hello Everyone,
> > > 
> > > Squid Cache: Version 3.5.20
> > > OS: CentOS 7
> > > 
> > > I have used squid for quite some times non transparently and it works,
> > > problem kicks in when: http_port 3128 transparent is enabled.
> > > Access denied error page shows up when transparent is enabled
> > > ERRORThe requested URL could not be retrieved
> > 
> > How are you getting the packets to the Squid server for interception?
> > 
> > Is the Squid server in the default route between your clients and the
> > Internet, or are you redirecting the packets to the Squid server somehow?
> > 
> > Please give *details* of how you are intercepting and sending the packets
> > to Squid (eg: iptables rules, and which machine/s the rules are running
> > on).
> > 
> > 
> > Antony.

> ​@Antony.Stone
> 1. ​I am using mikrotik routerboard to redirect traffic, with this rule:
> dd action=dst-nat chain=dstnat comment="Redirect port 80 to SquidProxy"
> dst-port=80 protocol=tcp \ src-address=10.24.7.100 to-addresses=10.24.7.101
> to-ports=3128

Okay, so there's your problem, then.

You must not use DSTNAT on a separate router to send packets to Squid for 
intercept.

(This used to work in older versions of Squid, but does not work any more and 
is documented on the wiki, for example at
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat )

Note the wording: "NOTE: This configuration is given for use on the squid box."  
That means the NAT rules *must* be running on the Squid box itself and not (in 
your case) on the Mikrotik router.

> 3.​ It is not in default route, packets is been redirected.

In that case you need to use policy routing to get the packets *unchanged* to 
the Squid box - see the above link, and also
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

> ​4. There is no iptable rules, firewall is disabled for this test.

You have to have a REDIRECT rule on the machine running Squid to get it to see 
the packets (once they are no longer being DNATted).

Please try to follow the guidelines at
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat and 
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute and 
then come back to us with details of what you've tried, if there are still 
problems.


Regards,


Antony.

-- 
A user interface is like a joke.
If you have to explain it, it didn't work.

                                                   Please reply to the list;
                                                         please *don't* CC me.

More information about the squid-users mailing list