[squid-users] Intercept Squid Proxy with Docker

Amos Jeffries squid3 at treenet.co.nz
Fri Apr 20 03:52:40 UTC 2018 

On 20/04/18 04:05, fourirakbar wrote:
> I'm using Squid version 3.5
> 
> My goal is to create a transparent proxy using docker container for each
> user, so I don't need to configure manual proxy setting in user.

Why have a different proxy per-user instead of a shared proxy?

The point of proxying is generally one of two use-cases:

1) centralized access control. Per-user proxies are not centralized.

2) caching. Which is done by the users Browser. Middle proxies like
Squid adds nothing for an individual.


> 
> *So this is what I want:* 
>   1. Guest login to the system (done)
>   2. After login, system noted ID and IP (done)
>   3. In other machine (I call it "server docker"), I create a container with
> --name ID and IP and --publish specific port from the guest (done)
>   4. Create iptables for the user with specific IP and PORT (done, but I'm
> not sure)
>   5. If guest want to connect to the internet, guest must be through that
> container (not yet)
> 
> *Example:*
>  ID : 5114100100
>  IP CLIENT : 10.151.36.227
>  IP server docker : 10.151.36.134
>  PORT : 9001
> 
> *First step: I create an image*
>     docker run -d -it --net bridge --name 5114100100_10.151.36.227 --publish
> 9001:3128 fourirakbar/debian-squid:version2
> 
> *Second step: I create rules with iptables*
>     iptables -t nat -A PREROUTING -i wlp3s0 -s 10.151.36.227 -p tcp --dport
> 80 -j DNAT --to 10.151.36.134:9001
>     iptables -t nat -A PREROUTING -i wlp3s0 -s 10.151.36.134 -p tcp --dport
> 443 -j DNAT --to 10.151.36.134:9001

Not possible. Squid requires access to the OS NAT tables. It cannot do
that when the NAT tables are on a different machine/VM/container.

You must *route* traffic to the Squid machine/container.

> 
> *first my squid.conf in container*
>     visible_hostname X450LD
>     http_port 3128
>     http_access allow all
> 

Very broken, and kind of pointless;
* you are not doing any kind of control at all, and
* caching does not work at all well because it is per-user, and
* the most you will get out of this is logs. BUT with NAT happening
outside the container the log contents will be lies.



> *Then, if I set proxy setting manual in browser client (I use firefox)*
>     HTTP Proxy 10.151.36.134
>     Port 9001
> 
> it's working fine

Because this proxy is setup as a forward-proxy ONLY.


> ===================================
> 
> Now here's the problem:
> 
> I want to make in transparent. I tried every tutorial / github other user
> and I make squid.conf in container like this:
> 
>     acl SUBNETAJK src 10.151.36.0/24 
>     acl client1 src 10.151.36.227
...
>     http_port 3128
>     http_port 3129 intercept 
>     http_access allow SUBNETAJK
>     http_access deny all
>     http_access deny CONNECT !SSL_ports
>     http_access deny !Safe_ports 
>     
>     never_direct allow all 
...
> 
> When I try to open http website like `elearning.if.its.ac.id` or
> `monta.if.its.ac.id`, it got error *unable to forward this request at this
> time*
> 

Because "never_direct allow all" forbids the proxy from looking up where
traffic is supposed to be going. It is only permitted to send traffic
through a cache_peer ... of which you have zero.


Amos

More information about the squid-users mailing list