[squid-users] Transparent Squid Proxy - ERR_EMPTY_RESPONSE

Antony Stone Antony.Stone at squid.open.source.it
Mon Aug 27 14:58:38 UTC 2018

On Monday 27 August 2018 at 16:04:16, zo_av wrote:

> I'm trying to redirect all of my subnet traffic to a transparent squid
> proxy using iptables on the router gateway (the squid proxy is located in
> the LAN).

So long as you use policy routing for this, and not address translation, it's 

> I can browse sites that are https but can't access http sites, the error
> that appears in the browser "ERR_EMPTY_RESPONSE"
> also I got this errors in the cache.log file:
> NF getsockopt(ORIGINAL_DST) failed on local=
> NAT/TPROXY lookup failed to locate original IPs on local=

Sounds like you're using NAT and not routing :(

> I'm using:
> Squid version:3.5.27 The iptables lines that we used for the redirection:
> - the squid box port+IP. - the router's IP.
> iptables:
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
> iptables -t nat -A POSTROUTING -p tcp -d --dport 3129 -j SNAT
> --to-source

Nope; won't work.

> squid.conf
> These are the lines that we have changed/added to the squid.conf:
> acl localnet src
> http_access allow localnet
> http_port 3128
> http_port 3129 intercept

Please see https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat and 
be aware of the NOTE: NAT configuration will only work when used *on* the squid 

https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute will 
help you with the setup you need in your situation.



The lottery is a tax for people who can't do maths.

                                                   Please reply to the list;
                                                         please *don't* CC me.

More information about the squid-users mailing list