[squid-users] transparent or intercept proxy with iptables and haproxy
Brendan Kearney
bpk678 at gmail.com
Thu Jun 19 19:29:16 UTC 2025
list members,
i am trying to setup a transparent or intercept proxy, where a client
does not know or is not configured to use a proxy, but winds up going
through squid instances. i have an iptables firewall, and can perform
DNAT, to point the traffic at a haproxy VIP. the haproxy VIP will use
least-conn load balancing to pick which of my 3 squid instances to send
the traffic to. i would like to configure the squid instances to handle
the traffic coming in this way.
i am unclear as to the differences between intercept and tproxy, so some
clarity there would be helpful. i believe transparent requires that the
NAT'ing be done "on-box" as opposed to across the network by my router.
is this accurate? are there any other differences? which is the
appropriate mechanism for my use case?
the connection chain would look something like this:
client -> router (DNAT to VIP) -> haproxy VIP (port 3129, SNAT to VIP
IP) -> squid (port 3129) -> internet
is this kind of config viable, and if so, what pieces do i have wrong?
in this scenario is transparent or intercept the proper means within squid?
thank you,
brendan kearney
More information about the squid-users
mailing list