[squid-users] transparently proxy squid in a docker container

Justin Michael Schwartzbeck justinmschw at gmail.com
Wed Feb 24 02:14:49 UTC 2021


Hi all,

For some years I have used squid 3.5 with SSL bump and transparent proxy
locally on my laptop. I have been using the following in my squid.conf:


ssl_bump server-first all
http_port 3128
http_port 3129 intercept
http_port 3130 ssl-bump intercept generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/bluestar.crt
key=/etc/squid/ssl/bluestar.pem


So if I want to manually set the proxy on the client side, I use port 3128,
but by default all http/https traffic is redirected to port 3129 and 3130,
respectively. Here are my iptables rules:


iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner
root -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner
dockeruser -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
3129
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner
root -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner
dockeruser -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports
3130


dockeruser is the user that starts the docker container, and proxy is the
actual squid user. I didn't know which one I needed a rule for, so I just
chose both.

As I said before, this worked great when I was running squid 3.5 on bare
metal. Now I am running squid 4 in a docker container. I am seeing the
following error many times in the squid logs when I try to use the
transparent proxy:


2021/02/24 01:45:17| WARNING: Forwarding loop detected for:

GET /success.txt HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Firefox/78.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: identity,gzip,deflate

Pragma: no-cache

Via: 1.1 19deb96addda (squid/4.11)

X-Forwarded-For: 172.18.0.1

Cache-Control: no-cache

Host: detectportal.firefox.com


And from firefox I see this:

WARNING: Forwarding loop detected for

SSL_ERROR_RX_RECORD_TOO_LONG


I feel like I am very close, but I'm not sure what I am missing. Does
someone else know of a better way to do this? I had assumed that since I
publish the ports, I should be able to redirect to them the same way I
would if squid were running locally.


I would appreciate any help in figuring this out.

Thanks,

-Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210223/e18c9904/attachment.htm>


More information about the squid-users mailing list