[squid-users] Squid Transparent/intercept Issues

christian brendan bosscb.chrisbren at gmail.com
Wed Mar 22 10:59:14 UTC 2017


One more thing,
Does this implies using two NICs (Network Interface Cards)?
And the squid server has to be in-between clients and the internet?

Regards




On Tue, Mar 21, 2017 at 5:29 PM, christian brendan <
bosscb.chrisbren at gmail.com> wrote:

> Thanks a lot for the information.
> I will try this and give feedback.
> Best Regards
>
> On Tue, Mar 21, 2017 at 1:00 PM, <squid-users-request at lists.
> squid-cache.org> wrote:
>
>> Send squid-users mailing list submissions to
>>         squid-users at lists.squid-cache.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>         http://lists.squid-cache.org/listinfo/squid-users
>> or, via email, send a message with subject or body 'help' to
>>         squid-users-request at lists.squid-cache.org
>>
>> You can reach the person managing the list at
>>         squid-users-owner at lists.squid-cache.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of squid-users digest..."
>>
>>
>> Today's Topics:
>>
>>    1. Re: Squid Transparent/intercept Issues (Antony Stone)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Tue, 21 Mar 2017 12:12:01 +0100
>> From: Antony Stone <Antony.Stone at squid.open.source.it>
>> To: squid-users at lists.squid-cache.org
>> Subject: Re: [squid-users] Squid Transparent/intercept Issues
>> Message-ID: <201703211212.01346.Antony.Stone at squid.open.source.it>
>> Content-Type: Text/Plain;  charset="utf-8"
>>
>> On Tuesday 21 March 2017 at 12:00:05, christian brendan wrote:
>>
>> > > Today's Topics:
>> > >    1. Re: Squid Transparent/intercept Issues (Antony Stone)
>> > >    2. Re: SMP and AUFS (Matus UHLAR - fantomas)
>> > >    3. Re: SMP and AUFS (Alex Rousskov)
>> > >    4. Re: squid workers question (Alex Rousskov)
>> > >    5. Re: squid workers question (Matus UHLAR - fantomas)
>> > >    6. Re: SSL Bump issues (Alex Rousskov)
>> > >    7. blocking or allowing specific youtube videos (Sohan Wijetunga)
>>
>> Please edit your reply when responding to a digest email, deleting
>> everything
>> not specific to your question.
>>
>> > > Date: Mon, 20 Mar 2017 16:56:17 +0100
>> > > From: Antony Stone
>> > > To: squid-users at lists.squid-cache.org
>> > > Subject: Re: [squid-users] Squid Transparent/intercept Issues
>> > >
>> > > On Monday 20 March 2017 at 16:26:40, christian brendan wrote:
>> > > > Hello Everyone,
>> > > >
>> > > > Squid Cache: Version 3.5.20
>> > > > OS: CentOS 7
>> > > >
>> > > > I have used squid for quite some times non transparently and it
>> works,
>> > > > problem kicks in when: http_port 3128 transparent is enabled.
>> > > > Access denied error page shows up when transparent is enabled
>> > > > ERRORThe requested URL could not be retrieved
>> > >
>> > > How are you getting the packets to the Squid server for interception?
>> > >
>> > > Is the Squid server in the default route between your clients and the
>> > > Internet, or are you redirecting the packets to the Squid server
>> somehow?
>> > >
>> > > Please give *details* of how you are intercepting and sending the
>> packets
>> > > to Squid (eg: iptables rules, and which machine/s the rules are
>> running
>> > > on).
>> > >
>> > >
>> > > Antony.
>>
>> > ​@Antony.Stone
>> > 1. ​I am using mikrotik routerboard to redirect traffic, with this rule:
>> > dd action=dst-nat chain=dstnat comment="Redirect port 80 to SquidProxy"
>> > dst-port=80 protocol=tcp \ src-address=10.24.7.100
>> to-addresses=10.24.7.101
>> > to-ports=3128
>>
>> Okay, so there's your problem, then.
>>
>> You must not use DSTNAT on a separate router to send packets to Squid for
>> intercept.
>>
>> (This used to work in older versions of Squid, but does not work any more
>> and
>> is documented on the wiki, for example at
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat )
>>
>> Note the wording: "NOTE: This configuration is given for use on the squid
>> box."
>> That means the NAT rules *must* be running on the Squid box itself and
>> not (in
>> your case) on the Mikrotik router.
>>
>> > 3.​ It is not in default route, packets is been redirected.
>>
>> In that case you need to use policy routing to get the packets
>> *unchanged* to
>> the Squid box - see the above link, and also
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>>
>> > ​4. There is no iptable rules, firewall is disabled for this test.
>>
>> You have to have a REDIRECT rule on the machine running Squid to get it
>> to see
>> the packets (once they are no longer being DNATted).
>>
>> Please try to follow the guidelines at
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat and
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>> and
>> then come back to us with details of what you've tried, if there are still
>> problems.
>>
>>
>> Regards,
>>
>>
>> Antony.
>>
>> --
>> A user interface is like a joke.
>> If you have to explain it, it didn't work.
>>
>>                                                    Please reply to the
>> list;
>>                                                          please *don't*
>> CC me.
>>
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>> ------------------------------
>>
>> End of squid-users Digest, Vol 31, Issue 61
>> *******************************************
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170322/97ae6f1b/attachment-0001.html>


More information about the squid-users mailing list