[squid-users] Non-Transparent HTTP+HTTP Proxy

Matus UHLAR - fantomas uhlar at fantomas.sk
Mon Sep 16 10:55:07 UTC 2019 

On 16.09.19 05:45, sknz wrote:
>[Updated] I'm trying to configure Squid 3.5.3 for access controller/captive
>portal last few days.
>
>#1 For this config, on client device:  *URL could not be retrieved - Invalid
>Url*
>http_port 3128
>
>#2 Squid log throws an Error - No forward port
>http_port 3128 intercept
>
>#3 On client device:  *URL could not be retrieved - Invalid Url*
>http_port 3128
>http_port 3127 intercept
>
>#4 On client device: Unable to forward this request
>http_port 3128 accel
>
>#5 Now this works!
>http_port 3128 accel allow-direct
>
>Under same settings in other things, I've changed Squid config # 1 to 5, can
>you guess what's happening here? What's so special about "allow-direct"
>here?  Why transparent proxy is not working? Why forward proxy is working
>only with "allow-direct"?

first, configure proxy with port3128 without "accel", "intercept", "tproxy",
and "ssl-bump".

port 3128 should not use first three, and using the fourth can make things
more compicated.

then, cofigure your browser to use proxy at port 3128. This must work.

"accel" and further "allow-direct" should be used on reverse proxies, not
when you use proxy for connecting clients to the world. They need proper
configuration on squid. They must not be used on forward proxy ports.

"intercept" and further "tproxy" should be used on different port, both need
special configuration on the router/firewall.


Note that clients with explicit proxy should not connect to intercept port,
and clients without explicit proxy should not connect to the standard 3128
port without intercept and tproxy.

when using intercept, you should allow connections from proxy to the world
and not redirect them back to the proxy.

As I have already said, if you use solutions like coovachilli, they should
provide instructions on how to configure intercepting proxy.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.

More information about the squid-users mailing list