[squid-users] questions setting up transparent proxy

John Ratliff john at bluemarble.net
Thu Jan 4 01:09:01 UTC 2018

On 1/3/2018 3:26 PM, Antony Stone wrote:
> On Wednesday 03 January 2018 at 21:06:42, John Ratliff wrote:
>> When I try to setup squid as a transparent proxy, I never get any
>> response from Squid.
>> When I try a wget request from a server that is being redirected
> How (and more importantly, where) are you doing the redirect?
>> Both machines are behind the same firewall. I used
>> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
> If that firewall is not on the machine running Squid, then that's your problem.
>> Traffic flows to the server running squid. I can verify this with
>> tcpdump. The packets are making it from wget to the server. I just don't
>> know what happens after that.
> https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
> "NOTE: This configuration is given for use *on the squid box*. This is required
> to perform intercept accurately and securely. To intercept from a gateway
> machine and direct traffic at a *separate squid box* use policy routing."
> https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
> Antony.

Thanks. I put squid on the firewall itself. It works for http, but not 
for https. I get errors with curl and wget.

$ curl https://debian.org
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 

$ wget https://debian.org
--2018-01-03 20:02:45--  https://debian.org/
Resolving debian.org (debian.org)...,,, ...
Connecting to debian.org (debian.org)||:443... connected.
GnuTLS: An unexpected TLS packet was received.
Unable to establish SSL connection.

I made some config changes:

http_port 3128 intercept
http_port 3129 intercept ssl-bump generate-host-certificates=on 

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

ssl_bump bump all

Here are my PREROUTING nat table rules.

REDIRECT tcp  -- anywhere tcp dpt:http redir ports 3128
REDIRECT tcp  -- anywhere tcp dpt:https redir ports 3129

And in the INPUT chain of the filter table:

ACCEPT tcp  -- anywhere tcp dpt:3128
ACCEPT tcp  -- anywhere tcp dpt:3129

The server I am on has IP

More information about the squid-users mailing list