[squid-users] questions setting up transparent proxy

John Ratliff john at bluemarble.net
Wed Jan 3 20:06:42 UTC 2018 

When I try to setup squid as a transparent proxy, I never get any 
response from Squid.

I can make it work fine as a regular proxy using Firefox.

I've tried it on a Debian 9 server and a CentOS 7 server, and I get the 
same result.

This is my configuration for the CentOS 7 server. I've put it wide open 
right now.

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 3128 intercept
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

When I try a wget request from a server that is being redirected to 
Squid, I get this:

$ wget debian.org
--2018-01-03 14:50:24--  http://debian.org/
Resolving debian.org (debian.org)... 130.89.148.14, 149.20.4.15, 
128.31.0.62, ...
Connecting to debian.org (debian.org)|130.89.148.14|:80... connected.
HTTP request sent, awaiting response... No data received.
Retrying.

If I remove 'intercept' from the http_port directive, I get 400 Bad 
Request instead.

$ wget debian.org
--2018-01-03 14:49:22--  http://debian.org/
Resolving debian.org (debian.org)... 5.153.231.4, 130.89.148.14, 
149.20.4.15, ...
Connecting to debian.org (debian.org)|5.153.231.4|:80... connected.
HTTP request sent, awaiting response... 400 Bad Request
2018-01-03 14:49:22 ERROR 400: Bad Request.

Both machines are behind the same firewall. I used
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 
10.77.9.120:3128

to do the traffic redirect.

Traffic flows to the server running squid. I can verify this with 
tcpdump. The packets are making it from wget to the server. I just don't 
know what happens after that.

Thanks.

More information about the squid-users mailing list