[squid-users] transparent or intercept proxy with iptables and haproxy

Amos Jeffries squid3 at treenet.co.nz
Sun Jun 22 17:53:24 UTC 2025 

On 20/06/25 07:29, Brendan Kearney wrote:
> list members,
> 
> i am trying to setup a transparent or intercept proxy, where a client 
> does not know or is not configured to use a proxy, but winds up going 
> through squid instances.  i have an iptables firewall, and can perform 
> DNAT, to point the traffic at a haproxy VIP.  the haproxy VIP will use 
> least-conn load balancing to pick which of my 3 squid instances to send 
> the traffic to.  i would like to configure the squid instances to handle 
> the traffic coming in this way.
> 
> i am unclear as to the differences between intercept and tproxy, so some 
> clarity there would be helpful.

"intercept" (NAT Interception) uses NAT systems to change the 
destination IP:port on TCP packets sent by the client, such that they 
are delivered to a listening IP:port of some process on the local machine.

"tproxy" (Transparent Proxy) uses the Linux iptables feature called 
"TPROXY" (on BSD the PF feature is called "divert") to deliver TCP 
packets sent by the client to some process no the local machine.


>  i believe transparent requires that the 
> NAT'ing be done "on-box" as opposed to across the network by my router.

They both do.


> is this accurate?  are there any other differences?

NAT erases the original IP:port details the client sent to. Squid using 
NAT intercept will use the Squid machine IP as sender/source-IP on 
traffic to upstream servers.

Squid using TPROXY will preserve the client source-IP on traffic to 
upstream servers. This requires special care with routing for the 
intercepted traffic handling not to loose/drop packets.


>  which is the 
> appropriate mechanism for my use case?
> 

  * TPROXY is "The Right Way" - but complex.

  * NAT is more popular due to admin already being familiar with 
configuring those systems.

Your choice.



> the connection chain would look something like this:
> 
> client -> router (DNAT to VIP) -> haproxy VIP (port 3129, SNAT to VIP 
> IP) -> squid (port 3129) -> internet
> 

No. Interception is the mechanism by which client->server traffic is 
converted into client->proxy.

Only the **first** proxy on your hierarchy received the intercepted TCP 
connections. That would be your HAProxy.

client -> router -> haproxy -> squid -> router -> Internet

On router:
  route src-IP=clients + dst-port=80 to gateway VIP1
  route src-IP=VIP2 + dst-port=80 to gateway Internet

On haproxy machine (VIP1):
  iptables DNAT port 80 to port 3129

On Squid machine (VIP2):
  regular forward proxy configuration. Nothing special needed.


HTH
Amos

More information about the squid-users mailing list