[squid-users] Transparent Squid Proxy - ERR_EMPTY_RESPONSE
Antony Stone
Antony.Stone at squid.open.source.it
Mon Aug 27 14:58:38 UTC 2018
On Monday 27 August 2018 at 16:04:16, zo_av wrote:
> I'm trying to redirect all of my subnet traffic to a transparent squid
> proxy using iptables on the router gateway (the squid proxy is located in
> the LAN).
So long as you use policy routing for this, and not address translation, it's
possible.
> I can browse sites that are https but can't access http sites, the error
> that appears in the browser "ERR_EMPTY_RESPONSE"
>
> also I got this errors in the cache.log file:
> NF getsockopt(ORIGINAL_DST) failed on local=192.168.0.110:3129
> NAT/TPROXY lookup failed to locate original IPs on local=192.168.0.110:3129
Sounds like you're using NAT and not routing :(
> I'm using:
> Squid version:3.5.27 The iptables lines that we used for the redirection:
> 192.168.0.110:3129 - the squid box port+IP. 192.168.0.1 - the router's IP.
>
> iptables:
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
> 192.168.0.110:3129
>
> iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.110 --dport 3129 -j SNAT
> --to-source 192.168.0.1
Nope; won't work.
> squid.conf
>
> These are the lines that we have changed/added to the squid.conf:
>
> acl localnet src 192.168.0.0/24
>
> http_access allow localnet
> http_port 3128
> http_port 3129 intercept
Please see https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat and
be aware of the NOTE: NAT configuration will only work when used *on* the squid
box.
https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute will
help you with the setup you need in your situation.
Regards,
Antony.
--
The lottery is a tax for people who can't do maths.
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list