[squid-users] Squid Intercept Issue

Amos Jeffries squid3 at treenet.co.nz
Fri Apr 18 06:36:23 UTC 2025 

On 18/04/25 00:32, manoj ramakrishna95 wrote:
> Hello Team,
> 
> I hope you are well, been working on the powerful squid proxy for the 
> past few months and have been struck at the dead end while setting up a 
> transparent proxy.
> My goal is to set up a squid proxy as a transparent proxy for http.
> Below is the config file(have included only the important part not all),
> I have a fedora box as a client where I have mentioned the squid proxy 
> ip and a demo website in
> /etc/hosts file forcing it to go through the squid proxy.
> my.squid.ip.address www.neverssl.com


The setup you have on your client is trying to use the proxy as if it 
were an origin server. Squid receives such traffic with:

   http_port 80 accel

   https_port 443 accel \
      tls-cert=/cert/and/key/for/neverssl.com.pem


For transparent proxy, it is your network router which needs rules 
passing port 80/443 traffic from client->Internet to the proxy machine.


> 
> And on the server is the below configuration and output which I have shared.
> _________
> http_port 0.0.0.0:3128
> http_port 192.168.124.130:3130 intercept
> acl SSL_ports port 443
> acl Safe_ports port 80 443 3128 3129 3130 3131 21 70 210 280 488 591 777 
> 1025-65535
> # === ACLs and Access Rules ===
> acl localnet src 192.168.124.0/24
> acl fedora_client src 192.168.0.0/16
> acl localhost src 127.0.0.1/32
> acl SSL_ports port 443
> acl Safe_ports port 80 443 3128 3129 3130 3131 21 70 210 280 488 591 777 
> 1025-65535
> acl CONNECT method CONNECT
> http_access allow all

Please restore the basic security protections:

  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports

...

> ____________
> Below are the iptables rule
> #iptables -A INPUT -p tcp --dport 80 -j ACCEPT
>   #iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
>   #iptables -A INPUT -p tcp --dport 3130 -j ACCEPT
> #iptables -t nat -A PREROUTING -i enp1s0 -p tcp --dport 80 -j REDIRECT 
> --to-port 3130

Okay. You should also have a MASQUERADE rule, and a "mangle" table 
protection against malware hijacking your proxies intercept port.

See <https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>


HTH
Amos

More information about the squid-users mailing list