<div dir="ltr"><div class="gmail_quote"><div dir="ltr">Hi.<div><div><br></div><div>I've being trying to setup a local squid server on my home LAN to cache HTTP (not HTTPS) pages. I want to avoid any client configuration, so I'm aiming for a transparent proxy - with squid in intercept mode.<br></div><div><br></div><div>In my network setup, the squid server is inside the LAN together with its clients, and not siting between the clients and the router/modem like all guides assume. Furthermore, requests originating from the same machine where squid is running should be cached as well.</div><div><br></div><div>I've setup squid inside a docker container, on a fedora 24 image. The squid version is 3.5.19. On squid.conf I've added a new http_port line, for port 8080 with the intercept flag:</div><div>http_port 8080 intercept</div><div><br></div><div>My router is a Mikrotik router board, so it's trivial to setup a DNAT rule to redirect all TCP requests to the squid server. To avoid forward loops, I've marked all packets originating from squid with DSCP 4 using iptables rules, and excluded those from the DNAT rule on the router. I've tested this by running wget requests from inside the docker container, and those went by without any redirection.</div></div><div><br></div><div>Now comes the problem:</div><div>When any of the redirected requests reach squid, squid will reply instantly with TCP_MISS/403. Since all traffic from the squid machine is marked with a specific DSCP, it's also easy to see squid made no requests to the outside world before giving that reply. Running tcpdump on the host machine shows no other packets are being sent other than the 403 reply.</div><div><br></div><div>What's happening? why doesn't squid tries to fetch the request pages at all?<br></div><div><br></div><div><br></div><div>From my understanding, my setup is roughly equivalent to <a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat" target="_blank">http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat</a>, only the DNAT is happening outside the squid box; There is no reason this should interfere with anything.</div><div><br></div><div><a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute" target="_blank">http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute</a> seens to recommend routing without DNAT; This seems weird, as the only way I can see this working is if the squid machine accepted packets to any address as their own.</div><div><br></div><div><br></div><div>TL;DR:</div><div>When running squid in intercept mode, inside a docker container, routing traffic to it through dst-nat rules on a external router, squid will reply with '403 forbidden' to all requests. Access.log lists TCP_MISS/403, but tcpdump indicates that squid is never trying to query the requested page at all.<br></div></div>
</div><br></div>