Re: [squid-users] FW: Question about IPTABLES Configuration / Squid Proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 15 Oct 2009 15:29:17 +1300

On Wed, 14 Oct 2009 17:19:27 -0400, Andrew Schmid
<andrew.schmid_at_triplecanopy.com> wrote:
> Hi,
>
> Here is quick info on my environment -
> I have a CentOS 5.3 box server as firewall/gateway/router.
> It has two interfaces
> eth0 - public internetIP
> eth1 - internal network IP (10.9.32.1)
>
> The server hands out DHCP to all clients, and the server is the gateway.
>
> I have installed squid proxy, and configured it to allow the local
subnet,
> and added transparent option.
>
> I added this to my iptables
> # http proxy redirect
> -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination
> 10.9.32.1:3128
> -A POSTROUTING -o eth0 -j MASQUERADE
>
> The transparent caching now appears to work. However I came across this
> article which says this: "WARNING: This method of interception is not
> recommended. There are other methods such as Proxy.PAC and http_proxy
> environment variable which are as effective and less intrusive when
> multiple
> clients are involved."
> http://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource
>
> So I am trying to find the better way to do this. This is what I have
come
> up with so far but does not seem to be working:
> -A PREROUTING -i eth0 -p tcp --dport 80 -j ACCEPT
> -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
> -A POSTROUTING -o eth0 -j MASQUERADE
>
> Is this correct? Does anyone have better suggestions on how to do this?

You seem to have miss-interpreted the statement I made in the wiki. The
rules as demonstrated in the config are needed for NAT interception to
work.

The warning is about the whole approach of using iptables/firewall/NAT
interception as the problem. Not the particular rules.

It then mentions a few other 'transparent' methods (proxy PAC/WPAD and the
unix http_proxy environment variable) which are automatic and invisible to
the users, but do not have the same limits NAT does.

WPAD/PAC is also covered in some detail in the wiki under
SquidFaq/ConfiguringBrowsers , is slightly more complicated to setup but
once going its much better to use than NAT since it allows browsers and
other software to pass HTTPS, FTP properly through the proxy and do
authentication if needed/wanted.

FWIW: updating the example to be a bit clearer.

Amos
Received on Thu Oct 15 2009 - 02:29:24 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 15 2009 - 12:00:03 MDT