<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:10pt;color:#000000;font-family:Consolas,Courier,monospace;" dir="ltr">
<p><br>
</p>
<br>
<br>
<div style="color: rgb(0, 0, 0);">
<div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>De :</b> squid-users <squid-users-bounces@lists.squid-cache.org> de la part de Antony Stone <Antony.Stone@squid.open.source.it><br>
<b>Envoyé :</b> mercredi 30 octobre 2019 17:39<br>
<b>À :</b> squid-users@lists.squid-cache.org<br>
<b>Objet :</b> Re: [squid-users] Unsuccessful at using Squid v4 with intercept</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">On Wednesday 30 October 2019 at 17:11:29, FOUTREL Sébastien wrote:<br>
<br>
> Hello, I would like to use squid as a transparent proxy for my users.<br>
<br>
> "Clients" are behind a Debian "Router" which MASQUERADE them (as they use<br>
> RFC 1918 ips).<br>
> <br>
> I have a Squid 4.6 from Debian Buster packages installed on a "Proxy"<br>
> server which is outside my network.<br>
> <br>
> I read a lot of tutorials and examples from squid site...<br>
<br>
Did that include the links I've given below?</div>
<div class="PlainText"><br>
</div>
<div class="PlainText">Yes I read almost all examples config from <a href="https://wiki.squid-cache.org/SquidFaq/InterceptionProxy" id="LPlnk311048" previewremoved="true" style="font-family: Consolas, Courier, monospace, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 13.3333px;">wiki.squid-cache.org</a></div>
<div class="PlainText"><a href="https://wiki.squid-cache.org/SquidFaq/InterceptionProxy" previewremoved="true" style="font-family: Consolas, Courier, monospace, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 13.3333px;"></a>And
I was mislead by the fact that there is a DNAT config and a REDIRECT config.. DNAT is completely useless if Squid only support to be on the router.</div>
<div class="PlainText">Wasn't it possible to dnat to a different server with older versions (my memory is faulty) ?</div>
<div class="PlainText"><a href="http://tldp.org/HOWTO/TransparentProxy-6.html" class="OWAAutoLink" id="LPlnk953727" previewremoved="true">http://tldp.org/HOWTO/TransparentProxy-6.html</a> for example.<br>
</div>
<div class="PlainText"><br>
</div>
<div class="PlainText"><br>
</div>
<div class="PlainText"><br>
</div>
<div class="PlainText">I read the "fw mark and route policy" method as an alternative not the only way to go. My mistake.</div>
<div class="PlainText"><br>
<br>
> I Applied a DNAT to trafic coming from Clients thru Router to Proxy.<br>
> <br>
> iptables -tnat -A PREROUTING -i LAN_3500 -p tcp -m tcp --dport 80 -j DNAT<br>
> --to-destination <Proxy>:3129<br>
<br>
Have you put this rule onto the firewall you mention, or the Squid box itself?<br>
<br>
<a href="https://wiki.squid-cache.org/SquidFaq/InterceptionProxy" id="LPlnk311048" previewremoved="true">https://wiki.squid-cache.org/SquidFaq/InterceptionProxy</a><br>
#Requirements_and_methods_for_Interception_Caching<br>
<br>
states "NAT configuration will only work when used *on the squid box* ."<br>
<br>
So, you *must* put that rule on the Squid machine itself, not on the firewall.<br>
<br>
It goes on to say "To intercept from a gateway machine and direct traffic at a <br>
separate squid box use policy routing." with a link to <br>
<a href="https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute" id="LPlnk480386" previewremoved="true">https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute</a><br>
<br>
> HTTP is coming to squid successfully but squid logs show a request coming<br>
> from proxy himself and a request coming from Router (as Clients are NATed<br>
> by Router)<br>
<br>
Ah, so you *are* doing the NAT on the router :) Don't :)<br>
<br>
> if I allow in squid.conf the Proxy IP, I end up with a Forward loop...<br>
> <br>
> <br>
> I also tried the tproxy scenario with no success.<br>
<br>
Well, give us some details of what you tried, how you configured it, what <br>
worked, and what didn't work, and we might be able to help, otherwise we can <br>
only say "well, tproxy does work if set up properly, so if yours doesn't work, <br>
it isn't set up properly", which isn't a very helpful answer...<br>
<br>
I read with a new eye the tproxy page <a href="https://wiki.squid-cache.org/ConfigExamples/FullyTransparentWithTPROXY" class="OWAAutoLink" id="LPlnk520447" previewremoved="true">https://wiki.squid-cache.org/ConfigExamples/FullyTransparentWithTPROXY</a> and
found that I forgot the policy routing part.</div>
<div class="PlainText">Will try again.</div>
<div class="PlainText"><br>
</div>
<div class="PlainText">Thanks for your help.</div>
<div class="PlainText">Sebastien.</div>
<div class="PlainText"><br>
</div>
<div class="PlainText">Antony.<br>
<br>
-- <br>
If at first you don't succeed, destroy all the evidence that you tried.<br>
<br>
Please reply to the list;<br>
please *don't* CC me.<br>
_______________________________________________<br>
squid-users mailing list<br>
squid-users@lists.squid-cache.org<br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" id="LPlnk101933" previewremoved="true">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</div>
</span></font></div>
</div>
</body>
</html>