[squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

[Amos Jeffries]

On 08/02/18 12:44, setuid wrote:
> On 2/7/18 6:36 PM, Yuri wrote:
>> Did you used ipfw NAT configuration on same box with squid?
> 
> Yes, my ipfw configuration is:
> 
> $cmd 00700 deny ip from any to any dst-port 3128 via em0
> $cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0
> $cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.25
> src-ip 192.168.1.1
> $cmd add 60000 permit ip from any to any


Earlier you wrote:


> My Squid configuration is 100% default, identical to the generic config,
> with the exception of the following lines:
>
> ======================
> http_port 3128
> http_port 3129 intercept
> tcp_outgoing_address 192.168.1.25
> debug_options ALL,9
> ======================


Your IPFW rules are sending intercepted traffic to port 3128.

HTTP traffic comes in multiple flavours/types. Squid-3+ enforce the port
"mode" for matches the type of traffic arriving to maintain traffic
integrity in the face of security vulnerabilities relevant (or not) to
each traffic type.

This adds some natural limitations which were not previously visible in
Squid-2 which was broken, just not informing you of the problem(s).

These are:

* you MUST configure NAT on the same device / machine / VM that Squid is
running on. Squid requires access directly to the kernel NAT tables.

* you MUST only send traffic of a given type to the port with matching
"mode" flag.
 - explicit/forward proxy is implied when *no* more specific mode is
supplied,
 - NAT traffic requires "intercept" flag,
 - TPROXY traffic requires "tproxy" flag, and
 - interception of HTTPS traffic requires "ssl-bump" flag (which can be
combined with the others)



Also, were the build options displayed earlier the same ones you used
for testing *BSD and Linux systems?
 The Linux Netfilter and *BSD PF NAT systems will never work if you
disable them and permit *only* IPFW-transparent in the Squid build.



Amos