[squid-users] New Squid Server 3.5.20 on Centos 7 - Trying to redirect local web access to Port 80 on Linux Servers with iptables to Squid Server with http_port intercept

Rogerio Coelho rogerio.coelho at gruporbs.com.br
Wed May 24 20:02:37 UTC 2017 

Hi Squid Jedi´s,

I am just a little stuck tryng to replace an old Squid 3.1.23 Server on Centos 6 that i use to redirect local web access to port 80 on linux servers to Squid Server.

On my Squid 3.1.23 Server on Centos 6 i use http_port 3128 transparent mode and on my Linux servers clients i use iptables to redirect Web traffic as below ( this config works ):

Squid Server 3.1.23 :

[root at leli squid]# cat squid.conf | egrep -v "^#|^$"
acl default_ip req_header x-forward -i "/ipt/SQUID/default/ip"
acl default_url dstdom_regex -i "/ipt/SQUID/default/url"
acl default_ip2 srcdom_regex -i "/ipt/SQUID/default/ip"
http_access allow default_ip default_url
acl endereco  req_header x-forward -i "/ipt/SQUID/libera/ip"
http_access allow endereco
acl all_ip req_header x-forward -i "/ipt/SQUID/all/ip"
acl all_url dstdom_regex -i "/ipt/SQUID/all/url"
acl all_ip2 srcdom_regex -i "/ipt/SQUID/all/ip"
http_access allow all_url
acl all src all
acl manager proto cache_object
acl from_localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl GIT_PORT port 9418         # git
acl CONNECT method CONNECT
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 21 # ftp
acl GIT_PORT2 port 9418 # git
http_access allow manager from_localhost
http_access deny manager
http_access allow GIT_PORT2
http_access deny !Safe_ports
http_access allow CONNECT GIT_PORT
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow from_localhost
http_access deny all
http_port 3128 transparent
https_port 3129 transparent intercept cert=/ipt/SQUID/https/squid.crt key=/ipt/SQUID/https/squid.key
hierarchy_stoplist cgi-bin ?
emulate_httpd_log on
logformat squid %tg %6tr %>a %{x-forward}>h %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
access_log /var/log/squid/access.log squid
access_log syslog:local0.info  squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
mime_table /etc/squid/mime.conf
pid_filename /var/run/squid.pid
acl QUERY urlpath_regex .*
cache deny QUERY
acl apache rep_header Server ^Apache
acl FS_TESTE srcdom_regex -i "/ipt/SQUID/puppet/ip2"
cache_mgr tecnologiaseguranca at gruporbs.com.br
cache_effective_user squid
cache_effective_group squid
coredump_dir /var/spool/squid
maximum_object_size 0 KB
minimum_object_size 0 KB
no_cache deny all
deny_info 172.20.63.73 webapp_ip

[root at leli ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 46M packets, 3068M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 4581K packets, 276M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4581K packets, 276M bytes)
 pkts bytes target     prot opt in     out     source               destination
[root at leli ~]#

Linux Server Clients ( Centos 5, 6 e 7 ) :

[root at montana rules]# cat proxy2.sh
#!/bin/bash

IPTBIN=$(which iptables)

$IPTBIN -t nat -F
$IPTBIN -t nat -X

#SQUID
$IPTBIN -A OUTPUT -s 10.240.68.68 -p tcp --sport 3128 -j ACCEPT

#PROXY
$IPTBIN -t nat -N PROXYSQUID
$IPTBIN -t nat -A OUTPUT -p tcp --dport 80 -j PROXYSQUID
$IPTBIN -t nat -A OUTPUT -p tcp --dport 443 -j PROXYSQUID
$IPTBIN -t nat -A PROXYSQUID -d 192.168.0.0/16 -j RETURN
$IPTBIN -t nat -A PROXYSQUID -d 189.76.144.0/20 -j RETURN
$IPTBIN -t nat -A PROXYSQUID -d 189.76.156.190 -j RETURN
$IPTBIN -t nat -A PROXYSQUID -d 172.16.0.0/12 -j RETURN
$IPTBIN -t nat -A PROXYSQUID -d 10.0.0.0/8 -j RETURN
$IPTBIN -t nat -A PROXYSQUID -p tcp -j DNAT --to-destination=10.240.68.68:3128


[root at montana rules]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 58M packets, 4835M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 2487K packets, 184M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2487K packets, 184M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
    0     0 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443

Chain PROXYSQUID (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/16
    0     0 RETURN     all  --  *      *       0.0.0.0/0            189.76.144.0/20
    0     0 RETURN     all  --  *      *       0.0.0.0/0            189.76.156.190
    0     0 RETURN     all  --  *      *       0.0.0.0/0            172.16.0.0/12
    0     0 RETURN     all  --  *      *       0.0.0.0/0            10.0.0.0/8
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           to:10.240.68.68:3128
[root at montana rules]# curl -v www.google.com
* About to connect() to www.google.com port 80
*   Trying 216.58.222.68... * connected
* Connected to www.google.com (216.58.222.68) port 80
> GET / HTTP/1.1
User-Agent: curl/7.12.1 (i686-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6
Host: www.google.com
Pragma: no-cache
Accept: */*

< HTTP/1.0 302 Moved Temporarily
< Location: http://www.google.com.br/?gws_rd=cr&ei=FtwdWdaDMYm0wQSWwZ24Ag
< Cache-Control: private
< Content-Type: text/html; charset=UTF-8
< P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
< Date: Thu, 18 May 2017 17:38:30 GMT
< Server: gws
< Content-Length: 262
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: NID=103=Vdks002SayhLjRhSWr_ETgZR2-0Hngh7ci-McE8fBhw6vDhAENt6JxWkTKtPKWen7HL-KYjiSNg9lwXnjSCejhv1va4yIUhPpMDYZ-mK4uDb9FQldR1zp3Y1RiOwx4jX; expires=Fri, 17-Nov-2017 17:38:30 GMT; path=/; domain=.google.com; HttpOnly
< X-Cache: MISS from leli.rbs.com.br
< X-Cache-Lookup: MISS from leli.rbs.com.br:3128
< Via: 1.0 leli.rbs.com.br (squid/3.1.23)
* HTTP/1.0 connection set to keep alive!
< Connection: keep-alive
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.com.br/?gws_rd=cr&ei=FtwdWdaDMYm0wQSWwZ24Ag">here</A>.
</BODY></HTML>
* Connection #0 to host www.google.com left intact
* Closing connection #0
[root at montana rules]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 58M packets, 4835M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 2487K packets, 184M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2487K packets, 184M bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
    0     0 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443

Chain PROXYSQUID (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/16
    0     0 RETURN     all  --  *      *       0.0.0.0/0            189.76.144.0/20
    0     0 RETURN     all  --  *      *       0.0.0.0/0            189.76.156.190
    0     0 RETURN     all  --  *      *       0.0.0.0/0            172.16.0.0/12
    0     0 RETURN     all  --  *      *       0.0.0.0/0            10.0.0.0/8
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           to:10.240.68.68:3128
[root at montana rules]#

On my new Squid Server running 3.5.20 on Centos 7 a try to use in many different ways but have no success.

I will send my steps on a new reply email in few minutes because the email size.

Sorry about all this log of information.



Rogério Ceni Coelho
Engenheiro de Infraestrutura - Infrastructure Engineer
Diretoria de TI e Telecom - Grupo RBS
Fone: +55 (51) 3218-6983
Celular: +55 (51) 8186-2933 Claro
Celular: +55 (51) 8050-4225 Vivo
rogerio.coelho at gruporbs.com.br
http://www.gruporbs.com.br



Esta mensagem e quaisquer anexos são exclusivamente para o uso da parte endereçada e poderão conter dados privilegiados e confidenciais. Caso o leitor da mensagem não seja a parte a quem ela foi endereçada, nem um representante autorizado da mesma, ficará notificado, por meio desta, que qualquer divulgação desta comunicação é estritamente proibida. Se esta comunicação for recebida erroneamente, por favor, notifique-nos disto imediatamente por e-mail e delete a mensagem  e quaisquer anexos a ela de seu sistema.



O Grupo RBS pauta sua atuação por seu Código de Ética e Conduta, em conformidade com a Legislação Brasileira. Qualquer situação irregular deve ser informada via Canal de Ética pelo site https://www.contatoseguro.com.br/gruporbs ou 0800 602 1831. Este e-mail e seus anexos podem conter informações confidenciais. Se você recebeu esta mensagem por engano, por favor apague-a e notifique o remetente imediatamente.

More information about the squid-users mailing list