[squid-users] Unsuccessful at using Squid v4 with intercept

FOUTREL Sébastien sfoutrel at ecritel.net
Thu Oct 31 16:53:17 UTC 2019

De : squid-users <squid-users-bounces at lists.squid-cache.org> de la part de Antony Stone <Antony.Stone at squid.open.source.it>
Envoyé : mercredi 30 octobre 2019 17:39
À : squid-users at lists.squid-cache.org
Objet : Re: [squid-users] Unsuccessful at using Squid v4 with intercept

On Wednesday 30 October 2019 at 17:11:29, FOUTREL Sébastien wrote:

> Hello, I would like to use squid as a transparent proxy for my users.

> "Clients" are behind a Debian "Router" which MASQUERADE them (as they use
> RFC 1918 ips).
> I have a Squid 4.6 from Debian Buster packages installed on a "Proxy"
> server which is outside my network.
> I read a lot of tutorials and examples from squid site...

Did that include the links I've given below?

Yes I read almost all examples config from wiki.squid-cache.org<https://wiki.squid-cache.org/SquidFaq/InterceptionProxy>
<https://wiki.squid-cache.org/SquidFaq/InterceptionProxy>And I was mislead by the fact that there is a DNAT config and a REDIRECT config.. DNAT is completely useless if Squid only support to be on the router.
Wasn't it possible to dnat to a different server with older versions (my memory is faulty) ?
http://tldp.org/HOWTO/TransparentProxy-6.html for example.

I read the "fw mark and route policy" method as an alternative not the only way to go. My mistake.

> I Applied a DNAT to trafic coming from Clients thru Router to Proxy.
> iptables -tnat -A PREROUTING -i LAN_3500 -p tcp -m tcp --dport 80 -j DNAT
> --to-destination <Proxy>:3129

Have you put this rule onto the firewall you mention, or the Squid box itself?


states "NAT configuration will only work when used *on the squid box* ."

So, you *must* put that rule on the Squid machine itself, not on the firewall.

It goes on to say "To intercept from a gateway machine and direct traffic at a
separate squid box use policy routing." with a link to

> HTTP is coming to squid successfully but squid logs show a request coming
> from proxy himself and a request coming from Router (as Clients are NATed
> by Router)

Ah, so you *are* doing the NAT on the router :)  Don't :)

> if I allow in squid.conf the Proxy IP, I end up with a Forward loop...
> I also tried the tproxy scenario with no success.

Well, give us some details of what you tried, how you configured it, what
worked, and what didn't work, and we might be able to help, otherwise we can
only say "well, tproxy does work if set up properly, so if yours doesn't work,
it isn't set up properly", which isn't a very helpful answer...

I read with a new eye the tproxy page https://wiki.squid-cache.org/ConfigExamples/FullyTransparentWithTPROXY and found that I forgot the policy routing part.
Will try again.

Thanks for your help.


If at first you don't succeed, destroy all the evidence that you tried.

                                                   Please reply to the list;
                                                         please *don't* CC me.
squid-users mailing list
squid-users at lists.squid-cache.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20191031/ad75cd9b/attachment.html>

More information about the squid-users mailing list