[squid-users] Squid Intercept - From inside LAN with DNAT on router and docker on host
Bruno de Paula Larini
bruno.larini at riosoft.com.br
Wed Jul 20 20:08:25 UTC 2016
Just a basic question: is there an ACL allowing your hosts in
squid.conf? Squid will promptly answer with a 403 error otherwise.
Em 20/07/2016 16:42, Guilherme Scaglia escreveu:
> Hi.
>
> I've being trying to setup a local squid server on my home LAN to
> cache HTTP (not HTTPS) pages. I want to avoid any client
> configuration, so I'm aiming for a transparent proxy - with squid in
> intercept mode.
>
> In my network setup, the squid server is inside the LAN together with
> its clients, and not siting between the clients and the router/modem
> like all guides assume. Furthermore, requests originating from the
> same machine where squid is running should be cached as well.
>
> I've setup squid inside a docker container, on a fedora 24 image. The
> squid version is 3.5.19. On squid.conf I've added a new http_port
> line, for port 8080 with the intercept flag:
> http_port 8080 intercept
>
> My router is a Mikrotik router board, so it's trivial to setup
> a DNAT rule to redirect all TCP requests to the squid server. To avoid
> forward loops, I've marked all packets originating from squid with
> DSCP 4 using iptables rules, and excluded those from the DNAT rule on
> the router. I've tested this by running wget requests from inside the
> docker container, and those went by without any redirection.
>
> Now comes the problem:
> When any of the redirected requests reach squid, squid will reply
> instantly with TCP_MISS/403. Since all traffic from the squid machine
> is marked with a specific DSCP, it's also easy to see squid made no
> requests to the outside world before giving that reply. Running
> tcpdump on the host machine shows no other packets are being sent
> other than the 403 reply.
>
> What's happening? why doesn't squid tries to fetch the request pages
> at all?
>
>
> From my understanding, my setup is roughly equivalent to
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat, only
> the DNAT is happening outside the squid box; There is no reason this
> should interfere with anything.
>
> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
> seens to recommend routing without DNAT; This seems weird, as the only
> way I can see this working is if the squid machine accepted packets to
> any address as their own.
>
>
> TL;DR:
> When running squid in intercept mode, inside a docker container,
> routing traffic to it through dst-nat rules on a external router,
> squid will reply with '403 forbidden' to all requests. Access.log
> lists TCP_MISS/403, but tcpdump indicates that squid is never trying
> to query the requested page at all.
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160720/e37cc2e3/attachment.html>
More information about the squid-users
mailing list