[squid-users] questions setting up transparent proxy

Amos Jeffries squid3 at treenet.co.nz
Thu Jan 4 02:05:29 UTC 2018

On 04/01/18 14:09, John Ratliff wrote:
> On 1/3/2018 3:26 PM, Antony Stone wrote:
>> On Wednesday 03 January 2018 at 21:06:42, John Ratliff wrote:
>>> When I try to setup squid as a transparent proxy, I never get any
>>> response from Squid.
>>> When I try a wget request from a server that is being redirected
>> How (and more importantly, where) are you doing the redirect?
>>> Both machines are behind the same firewall. I used
>>> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
>> If that firewall is not on the machine running Squid, then that's your 
>> problem.
>>> Traffic flows to the server running squid. I can verify this with
>>> tcpdump. The packets are making it from wget to the server. I just don't
>>> know what happens after that.
>> https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
>> "NOTE: This configuration is given for use *on the squid box*. This is 
>> required
>> to perform intercept accurately and securely. To intercept from a gateway
>> machine and direct traffic at a *separate squid box* use policy routing."
>> https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>> Antony.
> Thanks. I put squid on the firewall itself. It works for http, but not 
> for https. I get errors with curl and wget.
> $ curl https://debian.org
> curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
> protocol
> $ wget https://debian.org
> --2018-01-03 20:02:45--  https://debian.org/
> Resolving debian.org (debian.org)...,, 
>, ...
> Connecting to debian.org (debian.org)||:443... connected.
> GnuTLS: An unexpected TLS packet was received.
> Unable to establish SSL connection.
> I made some config changes:
> http_port 3128 intercept
> http_port 3129 intercept ssl-bump generate-host-certificates=on 
> cert=/etc/squid/squid.pem

That should be:

  https_port 3129 intercept ssl-bump generate-host-certificates=on \

Note the 's' in https_port.

> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> ssl_bump bump all

This instructs Squid to bump before even receiving the client TLS 
handshake - ie. generate a server certificate with zero details to work 
with about what the client wants.
That leads to a LOT of problems and security issues. Please do not do that.

See <https://wiki.squid-cache.org/Features/SslPeekAndSplice> for better 
config examples.

> Here are my PREROUTING nat table rules.
> REDIRECT tcp  -- anywhere tcp dpt:http redir ports 3128
> REDIRECT tcp  -- anywhere tcp dpt:https redir ports 3129
> And in the INPUT chain of the filter table:
> ACCEPT tcp  -- anywhere tcp dpt:3128
> ACCEPT tcp  -- anywhere tcp dpt:3129
> The server I am on has IP

You appear to be missing the MASQUERADE rule to send packets back to the 

Also the mangle table (*not* filter) rules are important to block 
external traffic directly to those Squid ports without interfering with 
the NAT operations.



More information about the squid-users mailing list