<div dir="ltr"><div>Hello Team,</div><div><br></div><div>I hope you are well, been
working on the powerful squid proxy for the past few months and have
been struck at the dead end while setting up a transparent proxy.</div><div>My goal is to set up a squid proxy as a transparent proxy for http.</div><div>Below is the config file(have included only the important part not all),</div><div>I have a fedora box as a client where I have mentioned the squid proxy ip and a demo website in <br></div><div>/etc/hosts file forcing it to go through the squid proxy.</div><div>my.squid.ip.address <a href="http://www.neverssl.com" target="_blank">www.neverssl.com</a></div><div><br></div><div>And on the server is the below configuration and output which I have shared.</div><div>_________</div><div><div>http_port <a href="http://0.0.0.0:3128" target="_blank">0.0.0.0:3128</a><br>http_port <a href="http://192.168.124.130:3130" target="_blank">192.168.124.130:3130</a> intercept<br>acl SSL_ports port 443<br>acl Safe_ports port 80 443 3128 3129 3130 3131 21 70 210 280 488 591 777 1025-65535<br># === ACLs and Access Rules ===<br>acl localnet src <a href="http://192.168.124.0/24" target="_blank">192.168.124.0/24</a><br>acl fedora_client src <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a><br>acl localhost src <a href="http://127.0.0.1/32" target="_blank">127.0.0.1/32</a><br>acl SSL_ports port 443<br>acl Safe_ports port 80 443 3128 3129 3130 3131 21 70 210 280 488 591 777 1025-65535<br>acl CONNECT method CONNECT<br></div><div>http_access allow all</div><div><br></div><div>logformat MyLogFormat ---> local_time="[%tl]" squid_service=%{service}note squid_status=%Ss squid_hierarchy_status=%Sh | lb_sessionid=%{X-SSL-sessionid}>h | **FLOW1** src_ip=%>a src_port=%>p squid_ingress_ip=%>la squid_ingress_port=%>lp | **FLOW2** squid_egress_ip=%<la squid_egress_port=%<lp dst_ip=%<a dst_host=%<A dst_port=%<p ident_username=%[ui username=%[un request_method=%rm request="%rm %ru HTTP/%rv" dst_url="%ru" status_code_from_server=%>Hs status_code_to_client=%<Hs referer="%{Referer}>h" user_agent="%{User-Agent}>h" protocol_version=%rv ** dns_response_time=%dt response_time=%tr mime_type=%mt *XFER* total_request_size=%>st total_reply_size=%<st ** %{src_zone}note %{dst_zone}note %{method_category}note %{dst_category}note %{file_upload}note ** REQUEST HEADERS %>h *** RESPONSE HEADERS %<h *** tag_returned=%et tag_string="%ea" previous_hop_mac=%>eui peer_response_time=%<pt total_response_time=%<tt *SSL* src_ssl_negotiated_version=%ssl::>negotiated_version dst_ssl_negotiated_version=%ssl::<negotiated_version src_tls_hello_version=%ssl::>received_hello_version dst_tls_hello_version=%ssl::<received_hello_version src_tls_max_version=%ssl::>received_supported_version dst_tls_max_version=%ssl::<received_supported_version src_tls_cipher=%ssl::>negotiated_cipher dst_tls_cipher=%ssl::<negotiated_cipher ssl_bump=%<bs ssl_bump_mode=%ssl::bump_mode ssl_sni=%ssl::>sni src_cert_subject="%ssl::>cert_subject" src_cert_issuer="%ssl::>cert_issuer" dst_cert_subject="%ssl::<cert_subject" dst_cert_issuer="%ssl::<cert_issuer" cert_errors="%ssl::<cert_errors" ssl_handshake="%>handshake" *** error_page_presented=%err_code err_detail="%err_detail" rule_id=%{ruleid}note rule_type=%{ruletype}note XFF="%{X-Forwarded-For}>h" squid_dst_app=%{dst_app}note SkipSsl=%{SkipSslDecrypt}note BrokenButTrusted=%{BrokenButTrusted}note | ** dns_response_time=%dt peer_response_time=%<pt total_response_time=%<tt response_time=%tr |<br><br></div><div>__________</div><div>Below are the output for netstat<br>[root@redhat squid]# netstat -tulnp | grep -i squid<br>tcp 0 0 <a href="http://0.0.0.0:3128" target="_blank">0.0.0.0:3128</a> 0.0.0.0:* LISTEN 935/(squid-1) <br>tcp 0 0 <a href="http://192.168.124.130:3130" target="_blank">192.168.124.130:3130</a> 0.0.0.0:* LISTEN 935/(squid-1) <br></div><div>____________</div><div>Below are the iptables rule</div><div>#iptables -A INPUT -p tcp --dport 80 -j ACCEPT</div><div> #iptables -A INPUT -p tcp --dport 3128 -j ACCEPT</div><div> #iptables -A INPUT -p tcp --dport 3130 -j ACCEPT</div><div>#iptables -t nat -A PREROUTING -i enp1s0 -p tcp --dport 80 -j REDIRECT --to-port 3130</div><div>___________________</div><div>Below
are the output of the logs (Flow 1: Is from client to proxy; Flow 2: is from proxy to destination) while executing curl from the client. The
proxy is not reaching the destination server rather talking to itself.</div><div>**FLOW1** src_ip=192.168.124.1 src_port=53564 squid_ingress_ip=192.168.124.130 squid_ingress_port=3130<br>**FLOW2** squid_egress_ip=192.168.124.130 squid_egress_port=44378 dst_ip=192.168.124.130 dst_host=<a href="http://www.neverssl.com" target="_blank">www.neverssl.com</a> dst_port=3130 ident_username=- username=- request_method=GET request="GET <a href="http://www.neverssl.com/" target="_blank">http://www.neverssl.com/</a> HTTP/1.1" dst_url="<a href="http://www.neverssl.com/" target="_blank">http://www.neverssl.com/</a>"
status_code_from_server=403 status_code_to_client=403 referer="-"
user_agent="curl/8.9.1" protocol_version=1.1 ** dns_response_time=22
response_time=24 mime_type=text/html *XFER* total_request_size=132
total_reply_size=4127 ** - - - - - ** REQUEST HEADERS
User-Agent:%20curl/8.9.1%0D%0AAccept:%20*/*%0D%0AProxy-Connection:%20Keep-Alive%0D%0AHost:%<a href="http://20www.neverssl.com" target="_blank">20www.neverssl.com</a>%0D%0A *** RESPONSE HEADERS HTTP/1.1%20403%20Forbidden%0D%0AServer:%20squid/5.5%0D%0AMime-Version:%201.0%0D%0ADate:%20Mon,%2007%20Apr%202025%2015:00:52%20GMT%0D%0AContent-Type:%20text/html;charset=utf-8%0D%0AContent-Length:%203633%0D%0AX-Squid-Error:%20ERR_ACCESS_DENIED</div><div>-------------------</div><div><br></div><div>P.S: Have good success on setting it up as explicit by setting the IP on the browser. But that's not the ultimate goal.</div><div><div>I would appreciate any help that you can offer in this regard.</div></div></div><br></div>