Re: [squid-users] Transparent proxy

From: Monah Baki <monahbaki_at_gmail.com>
Date: Sat, 30 Nov 2013 07:58:13 -0500

Thanks, error went away. All remains is my IPTable rules.

On Sat, Nov 30, 2013 at 7:45 AM, Pavel Kazlenka
<pavel.kazlenka_at_measurement-factory.com> wrote:
> On 11/30/2013 03:33 PM, Monah Baki wrote:
>>
>> Hi Amos,
>>
>> Thanks for the explanation. I switched to intercept yet once I restart
>> squid, I am still seeing the "No forward proxy ports configured".
>>
>> The same machine later on will also be running IPtables since it has 2
>> NIC's in it.
>
> You need both one 'intercept' and one 'forward proxy' port in config even if
> you don't use forward proxy:
>
> http_port 3129
> http_port 3128 intercept
>
>
>
>>
>>
>> Monah
>>
>> On Sat, Nov 30, 2013 at 4:56 AM, Amos Jeffries <squid3_at_treenet.co.nz>
>> wrote:
>>>
>>> On 30/11/2013 10:26 a.m., Monah Baki wrote:
>>>>
>>>> Hi all,
>>>>
>>>>
>>>> I'm trying to setup a transparent proxy squid 3.3.9 using the following
>>>> URL:
>>>>
>>>>
>>>>
>>>> http://www.broexperts.com/2013/03/squid-as-transparent-proxy-on-centos-6-4/
>>>>
>>>> What's the difference between
>>>>
>>>> http_port 3128 transparent
>>>
>>> The above expects all arriving traffic to be in HTTP port 80 origin
>>> server format. Used for receving intercept-proxy traffic.
>>>
>>> Also, the TCP level details are assumed to have passed through some form
>>> of NAT system and need to be un-NAT'd before use. In Squid since 3.2 if
>>> the original TCP details are not found in the NAT records some
>>> restrictions are placed on what happens with the request and response.
>>>
>>>
>>>> and
>>>> http_port 3128
>>>>
>>> This one expects all arriving traffic to be an HTTP proxy format. Used
>>> for receiving forward-proxy traffic.
>>>
>>>> If I where to configure with http_port 3128 transparent and restart
>>>> squid I get in my access.log file:
>>>> ERROR: No forward-proxy ports configured.
>>>>
>>>> If I where to then browse, nothing happens.
>>>>
>>>> I am not running iptables by the way.
>>>
>>> iptables or some other NAT system is mandatory for getting the traffic
>>> to an intercept port. Squid is fetching the TCP details from the kernel
>>> NAT records and using that as the preferred destination on outbound
>>> connections.
>>>
>>> As for the tutorial. It is broken in several major ways. Which for a
>>> 8-line example is remarkable in itself. Consider following the official
>>> wiki configuration example instead
>>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
>>>
>>>
>>> * The "transparent" option has been deprecated by "intercept" option
>>> since 2010.
>>>
>>> * Using DNAT rules without matching SNAT rules prevents TCP reply
>>> packets working at all. Im not surprised half teh comments are about it
>>> "not working".
>>>
>>> * Having both REDIRECT and DNAT rules on the same box is overkill
>>> anyway. DNAT is best for machines with a static IP address, REDIRECT for
>>> machines with dynamically assigned IP address or if writing examples for
>>> complete newbies.
>>>
>>> * Using port 3128 for the intercept port is a very BAD idea. There are
>>> active attacks in the wild scanning for open proxy ports and intercept
>>> without firewall protection on the port is ripe for attack. It should be
>>> a secret port which you can firewall away from all access beyond the
>>> machine itself. Only the NAT firewall and Squid need to use it.
>>>
>>>
>>> HTH
>>> Amos
>
>
Received on Sat Nov 30 2013 - 12:58:40 MST

This archive was generated by hypermail 2.2.0 : Sat Nov 30 2013 - 12:00:05 MST