[squid-users] transparent or intercept proxy with iptables and haproxy

Matus UHLAR - fantomas uhlar at fantomas.sk
Sun Jun 22 17:49:09 UTC 2025 

On 19.06.25 15:29, Brendan Kearney wrote:
>i am trying to setup a transparent or intercept proxy, where a client 
>does not know or is not configured to use a proxy, but winds up going 
>through squid instances.  i have an iptables firewall, and can perform 
>DNAT,

DNAT is dangerous, because the proxy on remote machine loses the real IP the 
connection was directed to.
You need to use policy routing, where you forward packets on other host 
which will intercept the connections itself.

> to point the traffic at a haproxy VIP.  the haproxy VIP will use 
>least-conn load balancing to pick which of my 3 squid instances to 
>send the traffic to.  i would like to configure the squid instances to 
>handle the traffic coming in this way.
>
>i am unclear as to the differences between intercept and tproxy, so 
>some clarity there would be helpful.

"intercept" intercepts connection to remote hosts and handles it (and 
replies) locally.  
The proxy fakes being the destination server to the client.

"tproxy" does the same, but even changes the client's IP, as if the 
connection came from client
The proxy fakes being the client to the server (in addition to the above).

You don't need tproxy if your clients and proxy are behind NAT, translating 
to the same IP.

> i believe transparent requires 
>that the NAT'ing be done "on-box" as opposed to across the network by 
>my router.  is this accurate?  are there any other differences?  which 
>is the appropriate mechanism for my use case?

Again, don't to DNAT.

If you redirect HTTP connections on your router to the proxy, use policy 
routing and do intercept on the proxy.

>the connection chain would look something like this:
>
>client -> router (DNAT to VIP) -> haproxy VIP (port 3129, SNAT to VIP 
>IP) -> squid (port 3129) -> internet
>
>is this kind of config viable, and if so, what pieces do i have 
>wrong?  in this scenario is transparent or intercept the proper means 
>within squid?

You need to find out how HAPROXY handles intercepted connections.
-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.

More information about the squid-users mailing list