[squid-users] transparently proxy squid in a docker container

Wed Feb 24 13:21:46 UTC 2021

I believe I have solved the forwarding loop issue by adding a preceding rule to -j ACCEPT all traffic originating from the docker network. Now I still have the SSL_ERROR_RX_RECORD_TOO_LONG issue, which seems to be unrelated. I will set logging to debug and do a wireshark session to see what might be going on.

⁣Get BlueMail for Android 

On Feb 23, 2021, 8:14 PM, at 8:14 PM, Justin Michael Schwartzbeck <justinmschw at gmail.com> wrote:
>Hi all,
>
>For some years I have used squid 3.5 with SSL bump and transparent
>proxy
>locally on my laptop. I have been using the following in my squid.conf:
>
>
>ssl_bump server-first all
>http_port 3128
>http_port 3129 intercept
>http_port 3130 ssl-bump intercept generate-host-certificates=on
>dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/bluestar.crt
>key=/etc/squid/ssl/bluestar.pem
>
>
>So if I want to manually set the proxy on the client side, I use port
>3128,
>but by default all http/https traffic is redirected to port 3129 and
>3130,
>respectively. Here are my iptables rules:
>
>
>iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner
>root -j RETURN
>iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner
>dockeruser -j RETURN
>iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT
>--to-ports
>3129
>iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner
>--uid-owner
>root -j RETURN
>iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner
>--uid-owner
>dockeruser -j RETURN
>iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT
>--to-ports
>3130
>
>
>dockeruser is the user that starts the docker container, and proxy is
>the
>actual squid user. I didn't know which one I needed a rule for, so I
>just
>chose both.
>
>As I said before, this worked great when I was running squid 3.5 on
>bare
>metal. Now I am running squid 4 in a docker container. I am seeing the
>following error many times in the squid logs when I try to use the
>transparent proxy:
>
>
>2021/02/24 01:45:17| WARNING: Forwarding loop detected for:
>
>GET /success.txt HTTP/1.1
>
>User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
>Firefox/78.0
>
>Accept: */*
>
>Accept-Language: en-US,en;q=0.5
>
>Accept-Encoding: identity,gzip,deflate
>
>Pragma: no-cache
>
>Via: 1.1 19deb96addda (squid/4.11)
>
>X-Forwarded-For: 172.18.0.1
>
>Cache-Control: no-cache
>
>Host: detectportal.firefox.com
>
>
>And from firefox I see this:
>
>WARNING: Forwarding loop detected for
>
>SSL_ERROR_RX_RECORD_TOO_LONG
>
>
>I feel like I am very close, but I'm not sure what I am missing. Does
>someone else know of a better way to do this? I had assumed that since
>I
>publish the ports, I should be able to redirect to them the same way I
>would if squid were running locally.
>
>
>I would appreciate any help in figuring this out.
>
>Thanks,
>
>-Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210224/0423d0bf/attachment.htm>