[squid-users] Squid as Transparent Proxy

[davide.motti]

Hi to everybody,

Last week I've set up Squid as transparent Proxy and everything seems to
work fine, it cache HTTP and HTTPS connections without any problem.

The only think that "worries" me is that if I put the "intercept" flag
on the http_port and on the https port I'm not able to connect to any
site, but if I put off the "intercept" flag the I connect to all sites
in transparent mode (no settings on the client's browser).

So I'm running Squid-3.5.27 on Ubuntu Server 16.04 LTS and it was so
compiled:

./configure --build=x86_64-linux-gnu --prefix=/usr --localstatedir=/var
--libexecdir=${prefix}/lib/squid --datadir=${prefix}/share/squid
--sysconfdir=/etc/squid --mandir=/usr/share/man
--with-swapdir=/var/spool/squid --with-default-user=proxy
--with-logdir=/var/log/squid --with-pidfile=/var/run/squid.pid
--with-open-ssl=/etc/ssl/openssl.cnf --with-filedescriptors=65536
--enable-ssl-crtd --enable-linux-netfilter.

The main squid.config file:

http_port
3128                                                                    
http_port 192.168.21.111:3129                                          

http_port 192.168.21.111:13130 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myRCA.pem   
                     
                     
                     
acl debian src 192.168.7.112     
acl debian src fe80::a2ce:c8ff:fe1e:bfb8
acl localhost src 127.0.0.0/32                 
acl SSL_ports port 443                            
acl Safe_ports port 80                             
acl Safe_ports port 443                           

acl Safe_ports port 21
acl Safe_ports port 70
acl Safe_ports port 3128
acl Safe_ports port 3129
acl Safe_ports port 403 
acl Safe_ports port 409 
acl Safe_ports port 210   

acl Safe_ports port 1025-65535                              
acl Safe_ports port 280                                           

acl Safe_ports port 488  
acl Safe_ports port 591  
acl Safe_ports port 777  
acl CONNECT method CONNECT   
# HTTP ACCESS                             
http_access deny !Safe_ports        
http_access deny CONNECT !SSL_ports
                                                             
http_access allow localhost manager  
http_access allow debian                     
http_access allow localhost 

visible_hostname 20150604-004.intern.modomoto.de         
                                                                                  

                                                                                  

acl step1 at_step SslBump1                                      
                                                                                  

ssl_bump peek step1                                                 
ssl_bump bump all                                                     
sslproxy_options ALL                                                  
sslproxy_cert_error allow all                                      
sslproxy_flags DONT_VERIFY_PEER                           
sslcrtd_program /lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB  
sslcrtd_children 10  

Squid iptables rules:

# Generated by iptables-save v1.6.0 on Mon Sep 25 09:34:12 2017
*mangle

:PREROUTING ACCEPT [41705:23328287] 
:INPUT ACCEPT [40269:23242848]            
:FORWARD ACCEPT [6:2262]                      

:OUTPUT ACCEPT [32950:6122247]
:POSTROUTING ACCEPT [33060:6138510]
COMMIT                                                     
# Completed on Mon Sep 25 09:34:12 2017
# Generated by iptables-save v1.6.0 on Mon Sep 25 09:34:12 2017
*nat                                                                              

:PREROUTING ACCEPT [2731:496529]                         
:INPUT ACCEPT [1440:370186]                                    
:OUTPUT ACCEPT [3278:202202]                                
:POSTROUTING ACCEPT [41:2041]                              
-A PREROUTING -s $CLIENT_IP -p tcp -m tcp --dport 80 -j DNAT
--to-destination
 $SQUID_IP:$HTTP_SQUID_PORT                                                              

-A PREROUTING -i $CLIENT_INTERF -p tcp -m tcp --dport 80 -j REDIRECT
--to-ports $HTTP_SQUID_PORT
                                                                               

-A PREROUTING -s $SQUID_IP -p tcp -m tcp --dport 443 -j DNAT
--to-destination $SQUID_IP:$HTTPS_SQUID_PORT
-A PREROUTING -i $CLIENT_INTERF -p tcp -m tcp --dport 443 -j REDIRECT
--to-ports
$HTTP_CLIENT_PORT                                                                             

-A POSTROUTING -o $CLIENT_INTERF -j MASQUERADE 

COMMIT                                                                            

# Completed on Mon Sep 25 09:34:12
2017                                     
# Generated by iptables-save v1.6.0 on Mon Sep 25 09:34:12 2017
*filter                                                                          

:INPUT DROP
[0:0]                                                                
:FORWARD ACCEPT [6:2262]                                                  
:OUTPUT ACCEPT [86:9379]                                                   
-A INPUT -i lo -j
ACCEPT                                                          
-A INPUT -i $CLIENT_INTERF -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s $CLIENT_IP -j ACCEPT      
-A INPUT -i $CLIENT_INTERF -j ACCEPT      
-A INPUT -j LOG                                             
-A INPUT -j DROP                                          
-A FORWARD -s $CLIENT_IP -j ACCEPT
-A OUTPUT -o lo -j ACCEPT                          
-A OUTPUT -s $CLIENT_INTERF -j ACCEPT 
-A OUTPUT -o $CLIENT_INTERF -j ACCEPT
COMMIT                 

My client act as his own router and his iptables rules are the followings:

*mangle
:PREROUTING ACCEPT [41705:23328287]
:INPUT ACCEPT [40269:23242848]
:FORWARD ACCEPT [6:2262]
:OUTPUT ACCEPT [32950:6122247]
:POSTROUTING ACCEPT [33060:6138510]
COMMIT
# Completed on Mon Sep 25 09:34:12 2017
# Generated by iptables-save v1.6.0 on Mon Sep 25 09:34:12 2017
*nat
:PREROUTING ACCEPT [2731:496529]
:INPUT ACCEPT [1440:370186]
:OUTPUT ACCEPT [3278:202202]
:POSTROUTING ACCEPT [41:2041]
-A PREROUTING -s $CLIENT_IP -p tcp -m tcp --dport 80 -j DNAT
--to-destination $SQUID_IP:$HTTP_SQUID_PORT
-A PREROUTING -i $CLIENT_INTERF -p tcp -m tcp --dport 80 -j REDIRECT
--to-ports $HTTP_SQUID_PORT
-A PREROUTING -s $CLIENT_IP -p tcp -m tcp --dport 443 -j DNAT
--to-destination $SQUID_IP:$HTTPS_SQUID_PORT
-A PREROUTING -i $CLIENT_INTERF -p tcp -m tcp --dport 443 -j REDIRECT
--to-ports $HTTPS_SQUID_PORT
-A POSTROUTING -o $CLIENT_INTERF -j MASQUERADE
                                                                                  

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [6:2262]
:OUTPUT ACCEPT [86:9379]
-A INPUT -i lo -j ACCEPT
-A INPUT -i $CLIENT_INTERF -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s $CLIENT_IP-j ACCEPT
-A INPUT -i $CLIENT_INTERF -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A FORWARD -s $CLIENT_IP -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s $CLIENT_IP -j ACCEPT
-A OUTPUT -o $CLIENT_INTERF -j ACCEPT
COMMIT

As I told the intercept mode works without the "intercept flag" on the
http_port directive: I would like just to know if it's normal or I miss
something in my config.

Thanks in advance to everybody.

Best,

Davide

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 870 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171010/b76c0a16/attachment-0001.sig>