[squid-users] transparently proxy squid in a docker container

Amos Jeffries squid3 at treenet.co.nz
Wed Feb 24 10:52:48 UTC 2021 

On 24/02/21 3:14 pm, Justin Michael Schwartzbeck wrote:
> Hi all,
> 
> For some years I have used squid 3.5 with SSL bump and transparent proxy 
> locally on my laptop. I have been using the following in my squid.conf:
> 
> 
> ssl_bump server-first all
> http_port 3128
> http_port 3129 intercept
> http_port 3130 ssl-bump intercept generate-host-certificates=on 
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/bluestar.crt 
> key=/etc/squid/ssl/bluestar.pem
> 
> 
> So if I want to manually set the proxy on the client side, I use port 
> 3128, but by default all http/https traffic is redirected to port 3129 
> and 3130, respectively. Here are my iptables rules:
> 
> 
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner 
> root -j RETURN
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner 
> dockeruser -j RETURN
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT 
> --to-ports 3129
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner 
> root -j RETURN
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner 
> dockeruser -j RETURN
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT 
> --to-ports 3130
> 

These rules are inside the container, yes?


> 
> dockeruser is the user that starts the docker container, and proxy is 
> the actual squid user. I didn't know which one I needed a rule for, so I 
> just chose both.
> 

Should be the "effective user" Squid runs as. Apparently "proxy" from 
that description.


> As I said before, this worked great when I was running squid 3.5 on bare 
> metal. Now I am running squid 4 in a docker container. I am seeing the 
> following error many times in the squid logs when I try to use the 
> transparent proxy:
> 
> 
> 2021/02/24 01:45:17| WARNING: Forwarding loop detected for:
> 

Something on the network is routing traffic back to Squid. The most 
common cause is missing or broken policy routing rules on a router.

Be aware that for containers or virtual systems the host OS may be 
acting as a router for the container. As such it needs policy routing 
like any other.
  see 
<https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute> 
has details of rules needed, assuming your host OS is a Linux.


Amos

More information about the squid-users mailing list