[squid-users] transparently proxy squid in a docker container

Justin Michael Schwartzbeck justinmschw at gmail.com
Thu Feb 25 19:01:10 UTC 2021


I ended up using redsocks for doing the transparent proxy, that is working
perfectly for me now. I don't need to configure squid for this after all.

On Wed, Feb 24, 2021 at 7:21 AM Justin Schwartzbeck <justinmschw at gmail.com>
wrote:

> I believe I have solved the forwarding loop issue by adding a preceding
> rule to -j ACCEPT all traffic originating from the docker network. Now I
> still have the SSL_ERROR_RX_RECORD_TOO_LONG issue, which seems to be
> unrelated. I will set logging to debug and do a wireshark session to see
> what might be going on.
>
> Get BlueMail for Android <http://www.bluemail.me/r?b=16470>
> On Feb 23, 2021, at 8:14 PM, Justin Michael Schwartzbeck <
> justinmschw at gmail.com> wrote:
>>
>> Hi all,
>>
>> For some years I have used squid 3.5 with SSL bump and transparent proxy
>> locally on my laptop. I have been using the following in my squid.conf:
>>
>>
>> ssl_bump server-first all
>> http_port 3128
>> http_port 3129 intercept
>> http_port 3130 ssl-bump intercept generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/bluestar.crt
>> key=/etc/squid/ssl/bluestar.pem
>>
>>
>> So if I want to manually set the proxy on the client side, I use port
>> 3128, but by default all http/https traffic is redirected to port 3129 and
>> 3130, respectively. Here are my iptables rules:
>>
>>
>> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner
>> root -j RETURN
>> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner
>> dockeruser -j RETURN
>> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
>> 3129
>> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner
>> root -j RETURN
>> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner
>> dockeruser -j RETURN
>> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT
>> --to-ports 3130
>>
>>
>> dockeruser is the user that starts the docker container, and proxy is the
>> actual squid user. I didn't know which one I needed a rule for, so I just
>> chose both.
>>
>> As I said before, this worked great when I was running squid 3.5 on bare
>> metal. Now I am running squid 4 in a docker container. I am seeing the
>> following error many times in the squid logs when I try to use the
>> transparent proxy:
>>
>>
>> 2021/02/24 01:45:17| WARNING: Forwarding loop detected for:
>>
>> GET /success.txt HTTP/1.1
>>
>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
>> Firefox/78.0
>>
>> Accept: */*
>>
>> Accept-Language: en-US,en;q=0.5
>>
>> Accept-Encoding: identity,gzip,deflate
>>
>> Pragma: no-cache
>>
>> Via: 1.1 19deb96addda (squid/4.11)
>>
>> X-Forwarded-For: 172.18.0.1
>>
>> Cache-Control: no-cache
>>
>> Host: detectportal.firefox.com
>>
>>
>> And from firefox I see this:
>>
>> WARNING: Forwarding loop detected for
>>
>> SSL_ERROR_RX_RECORD_TOO_LONG
>>
>>
>> I feel like I am very close, but I'm not sure what I am missing. Does
>> someone else know of a better way to do this? I had assumed that since I
>> publish the ports, I should be able to redirect to them the same way I
>> would if squid were running locally.
>>
>>
>> I would appreciate any help in figuring this out.
>>
>> Thanks,
>>
>> -Justin
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210225/ab871558/attachment.htm>


More information about the squid-users mailing list