[squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

setuid setuid at gmail.com
Wed Feb 7 22:30:54 UTC 2018


On 02/07/2018 04:38 PM, Rafael Akchurin wrote:
> If you do not mind looking at other tutorials - these are what we have in the test lab.

> https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html

I can confirm that the instructions in this tutorial results in the same
exact failure scenario as all previous attempts and tests (once I
removed the unnecessary Apache/Web Safety bits).

Firewall rules are:

-A INPUT -i eth0 -p tcp -m tcp --dport 3126 -c 0 0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -c 0 0 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -c 0 0 -j ACCEPT

Squid config is generic, with the exception of:

http_port 3126 intercept

There is a single interface on the host, which resides on the LAN _and_
is Internet-facing (eth0).

The result is that I get the same as before:

==> /var/log/squid3/access.log <==
1518042565.613      0 192.168.1.1 TAG_NONE/400 3583 GET / - HIER_NONE/-
text/html

If I point the client (curl, browser, perl + LWP) at the proxy directly
on 3128, it works as expected.

I am firmly convinved that _transparent_ proxying with squid, is 100%
non-functional. The proxy works fine, but transparent proxying is
demonstrably broken in anything later than 3.x.



More information about the squid-users mailing list