[squid-users] Transparent Proxy Configuration
James Lay
jlay at slave-tothe-box.net
Tue Jun 30 20:26:33 UTC 2015
On 2015-06-30 12:21 PM, Chris Greene wrote:
> I’ve had Squid running on Ubuntu for a few weeks. I’d configured the
> proxy settings in the browsers. Everything has been working well and
> I've been pleased with the results. But now I need to make this a
> transparent proxy and I’m running into trouble & need some help.
>
> I’ve got a Destination NAT rule set up on my router to forward TCP
> port 80 traffic to my proxy. And I removed proxy configuration
> settings from the browsers. After enabling this DNAT rule, I see
> requests being logged to /var/log/squid3/access.log.
>
> Results when navigating to http://www.google.com:
> The following error was encountered while trying to retrieve the URL: /
> Invalid URL
> Some aspect of the requested URL is incorrect.
> Some possible problems are:
> -Missing or incorrect access protocol (should be “http://” or similar)
> -Missing hostname
> -Illegal double-escape in the URL-Path
> -Illegal character in hostname; underscores are not allowed.
>
>
> Next, I added "intercept" to http_port like so:
> "http_port 192.166.2.55:3128 intercept"
> Results: Access Denied.
>
> My abbreviated /etc/squid3/squid.conf looks like this:
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access allow all
>
> I'm new to Squid/Ubuntu, so I likely overlooked something. What am I
> missing? What troubleshooting step(s) should I take next?
> -DG
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
What's your DNAT line? Assuming squid is on the box that you're running
the DNAT line on...here's mine...redirect is all you need if the
firewall/gateway is on the same box as squid:
$IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp --dport
80 -j REDIRECT --to-port 3128
And parts of my squid.conf:
acl localnet src 192.168.1.0/24
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
acl allowed_http_sites url_regex "/opt/etc/squid/http_url.txt"
http_access deny !Safe_ports
http_access deny CONNECT !SSL_Ports
http_access allow SSL_ports
http_access allow localnet
http_access deny all
http_port 3128 intercept
James
More information about the squid-users
mailing list