[squid-users] Introduction & Squid ports

Nicolas Kovacs info at microlinux.fr
Sun Mar 11 07:51:06 UTC 2018 

Hi,

I'm new to this list, so let me introduce myself. I'm a 50-year old
Austrian living in Montpezat (South France), and I'm the manager of a
small IT company with a focus on Linux and free software.

I've been using Squid for a few years, but only as a transparent HTTP
proxy. Here's my blog article (in French) about that configuration on
CentOS 7:

https://blog.microlinux.fr/squid-centos/

These last two weeks I've been experimenting quite a lot with using
Squid as a transparent HTTP+HTTPS proxy. I've also written a blog
article about this setup:

https://blog.microlinux.fr/squid-https-centos/

This configuration is running quite nicely, though I still have to sand
down a few rough edges. I went through quite a lot of trial and error,
using the Squid wiki as well as a handful of tutorials I found on the
Internet.

Here's the section of my squid.conf file defining ports:

--8<-------------------------------------------------------------
# Ports du proxy
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
  cert=/etc/squid/ssl_cert/amandine.sandbox.lan.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
--8<-------------------------------------------------------------

And here's the corresponding section of my firewall script:

--8<-------------------------------------------------------------
# Commandes
IPT=/usr/sbin/iptables
SYS=/usr/sbin/sysctl
SERVICE=/usr/sbin/service

# Internet
IFACE_INET=enp2s0

# Réseau local
IFACE_LAN=virbr0
IFACE_LAN_IP=192.168.2.0/24

# Serveur
SERVER_IP=192.168.2.1

...

# Squid
$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3128 -j ACCEPT
$IPT -A INPUT -p udp -i $IFACE_LAN --dport 3128 -j ACCEPT
$IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \
  --dport 80 -j REDIRECT --to-port 3128
$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3129 -j ACCEPT
$IPT -A INPUT -p udp -i $IFACE_LAN --dport 3129 -j ACCEPT
$IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \
  --dport 443 -j REDIRECT --to-port 3129
$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3130 -j ACCEPT
$IPT -A INPUT -p udp -i $IFACE_LAN --dport 3130 -j ACCEPT
--8<-------------------------------------------------------------

This configuration works perfectly and gives me no errors or whatsoever,
though I don't quite understand why I need all these ports. When I used
only HTTP, I had this configuration

http_port 3128 transparent

So I wonder why it wasn't possible to have something like this:

http_port 3128 transparent
https_port 3129 transparent ssl-bump

I'm not sure about how the "intercept" mode works. As far as I
understand, connections to port 80 get redirected to port 3128 by the
firewall, but what then? Does "http_port 3128 intercept" mean that Squid
redirects these again and sends them to its internal port 3130?

Similarly, connections to port 443 get redirected to port 3129 by the
firewall, so far so good. But I don't understand how to read "https_port
3129 intercept". Again, does this mean that Squid redirects these to its
internal port 3130, along with HTTP connections?

In short, my configuration works, but I'd like to get a better grasp on
*how* it works.

Cheers from the sunny South of France,

Niki Kovacs

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32

More information about the squid-users mailing list