[squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Yuri yvoinov at gmail.com
Wed Feb 7 23:41:09 UTC 2018 

Squid is relatively difficult to run with transparent mode on virtual
platforms due to NAT limitations on virtual platforms (this is not
squid's issue, this is issue if virtual platforms).

I'm using squid only in transparent mode (only in transparent mode)
several years on Solaris (bare metal) without any issues in HTTP/HTTPS
interception. With IPFilter. With 1-2-6-8 interfaces with different LAN
topologies. Starting from Squid 2.7, then 3.4, 3.5, 4.x and now 5.x. All
without serious problems.

But on bare-metal.

08.02.2018 05:25, setuid пишет:
> On 2/7/18 5:37 PM, Rafael Akchurin wrote:
>> How is your network configured? Your rules indicate you have 2 nics but you later say you have one..
> Originally, I started with 1 NIC (it's a VM), and added 2 more, because
> I read that pf/ipfw can't rewrite ingress packets on the same interface
> it used for egress, but I haven't tried creating a bridge and routes to
> attempt to make that work yet.
>
> The Ubuntu machine has 2 NICs; primary NIC is WAN facing (internet
> routable IP bound to eth0) and the secondary NIC sits on the "backup"
> network (LAN-side) on 192.168.2.x.
>
> Let's break it down:
>
> [WAN router]
>   |-- LAN: 192.168.1.1 (wired LAN)
>   `-- WWAN: 10.0.1.1 (wireless clients)
>
> BSD VM: 192.168.1.25
>
> Ubuntu VM:
>   |-- INET: 32.215.x.x
>   `-- LAN: 192.168.2.x
>
> The WAN router is what sends traffic sent over it on :80, over to .1.25
> (BSD) to cache.
>
> Previously, I had it pointed to Squid 2.6 sitting on my NAS
> (192.168.1.20) and that would work perfectly as a transparent proxy.
>
> When I pointed the WAN router to .25 instead of .20, and upgraded the
> version of Squid by using BSD's version from ports on .25, this process
> all fell apart.
>
> So... is having 3 NICs (1 NIC + 2 bridged together as bridge0) *now* a
> requirement to get transparent proxying working with anything using
> Squid 3.x or later?
>
> Can this be done with a single NIC sitting on an Internet-facing LAN
> segment?
>
> If so, how?
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*****************************
* C++20 : Bug to the future *
*****************************


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180208/bd1a8c4d/attachment.sig>

More information about the squid-users mailing list