[squid-users] Intercept Squid Proxy with Docker

fourirakbar fourir.akbar at gmail.com
Thu Apr 19 16:05:30 UTC 2018 

I'm using Squid version 3.5

My goal is to create a transparent proxy using docker container for each
user, so I don't need to configure manual proxy setting in user.

*So this is what I want:* 
  1. Guest login to the system (done)
  2. After login, system noted ID and IP (done)
  3. In other machine (I call it "server docker"), I create a container with
--name ID and IP and --publish specific port from the guest (done)
  4. Create iptables for the user with specific IP and PORT (done, but I'm
not sure)
  5. If guest want to connect to the internet, guest must be through that
container (not yet)

*Example:*
 ID : 5114100100
 IP CLIENT : 10.151.36.227
 IP server docker : 10.151.36.134
 PORT : 9001

*First step: I create an image*
    docker run -d -it --net bridge --name 5114100100_10.151.36.227 --publish
9001:3128 fourirakbar/debian-squid:version2

*Second step: I create rules with iptables*
    iptables -t nat -A PREROUTING -i wlp3s0 -s 10.151.36.227 -p tcp --dport
80 -j DNAT --to 10.151.36.134:9001
    iptables -t nat -A PREROUTING -i wlp3s0 -s 10.151.36.134 -p tcp --dport
443 -j DNAT --to 10.151.36.134:9001

*first my squid.conf in container*
    visible_hostname X450LD
    http_port 3128
    http_access allow all

*Then, if I set proxy setting manual in browser client (I use firefox)*
    HTTP Proxy 10.151.36.134
    Port 9001

it's working fine
===================================

Now here's the problem:

I want to make in transparent. I tried every tutorial / github other user
and I make squid.conf in container like this:

    acl SUBNETAJK src 10.151.36.0/24 
    acl client1 src 10.151.36.227
    
    acl SSL_ports port 443 
    acl Safe_ports port 80 # http 
    acl Safe_ports port 21 # ftp 
    acl Safe_ports port 443 # https 
    acl Safe_ports port 70 # gopher 
    acl Safe_ports port 210 # wais 
    acl Safe_ports port 1025-65535 # unregistered ports 
    acl Safe_ports port 280 # http-mgmt 
    acl Safe_ports port 488 # gss-http 
    acl Safe_ports port 591 # filemaker 
    acl Safe_ports port 777 # multiling http 
    acl Safe_ports port 445 # windows update 
    acl CONNECT method CONNECT 
    
    http_port 3128
    http_port 3129 intercept 
    http_access allow SUBNETAJK
    http_access deny all
    http_access deny CONNECT !SSL_ports
    http_access deny !Safe_ports 
    
    never_direct allow all 
    
    cache_mem 64 MB 
    cache_swap_low 98 
    cache_swap_high 99 
    
    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern .               0       20%     4320

    shutdown_lifetime 1 second 
    visible_hostname X450LD

*Then I change `--publsh to 3129`. I run again `docker run` like this:*

    docker run -d -it --net bridge --name 5114100123_10.151.36.227 --publish
9001:3129 fourirakbar/debian-squid:version2

And I didn't change rules of iptables. If I do `iptables -t nat -L` in
server docker like this:

    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination         
    DOCKER     all  --  anywhere             anywhere             ADDRTYPE
match dst-type LOCAL
    DNAT       tcp  --  10.151.36.227        anywhere             tcp
dpt:https to:10.151.36.134:9001
    DNAT       tcp  --  10.151.36.227        anywhere             tcp
dpt:http to:10.151.36.134:9001
    
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE
match dst-type LOCAL
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination         
    MASQUERADE  all  --  172.17.0.0/16        anywhere            
    MASQUERADE  all  --  172.18.0.0/16        anywhere            
    MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp
dpt:3129
    
    Chain DOCKER (2 references)
    target     prot opt source               destination         
    RETURN     all  --  anywhere             anywhere            
    RETURN     all  --  anywhere             anywhere            
    DNAT       tcp  --  anywhere             anywhere             tcp
dpt:9001 to:172.17.0.2:3129

When I try to open http website like `elearning.if.its.ac.id` or
`monta.if.its.ac.id`, it got error *unable to forward this request at this
time*

Anyone know how to fix this? I wonder that someone can help me
Thankyou very much

And this is access.log
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377437/accesslog.png> 



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

More information about the squid-users mailing list