Re: [squid-users] Transparent proxy

From: Pavel Kazlenka <pavel.kazlenka_at_measurement-factory.com>
Date: Sat, 30 Nov 2013 15:45:55 +0300

On 11/30/2013 03:33 PM, Monah Baki wrote:
> Hi Amos,
>
> Thanks for the explanation. I switched to intercept yet once I restart
> squid, I am still seeing the "No forward proxy ports configured".
>
> The same machine later on will also be running IPtables since it has 2
> NIC's in it.
You need both one 'intercept' and one 'forward proxy' port in config
even if you don't use forward proxy:

http_port 3129
http_port 3128 intercept

>
>
> Monah
>
> On Sat, Nov 30, 2013 at 4:56 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 30/11/2013 10:26 a.m., Monah Baki wrote:
>>> Hi all,
>>>
>>>
>>> I'm trying to setup a transparent proxy squid 3.3.9 using the following URL:
>>>
>>>
>>> http://www.broexperts.com/2013/03/squid-as-transparent-proxy-on-centos-6-4/
>>>
>>> What's the difference between
>>>
>>> http_port 3128 transparent
>> The above expects all arriving traffic to be in HTTP port 80 origin
>> server format. Used for receving intercept-proxy traffic.
>>
>> Also, the TCP level details are assumed to have passed through some form
>> of NAT system and need to be un-NAT'd before use. In Squid since 3.2 if
>> the original TCP details are not found in the NAT records some
>> restrictions are placed on what happens with the request and response.
>>
>>
>>> and
>>> http_port 3128
>>>
>> This one expects all arriving traffic to be an HTTP proxy format. Used
>> for receiving forward-proxy traffic.
>>
>>> If I where to configure with http_port 3128 transparent and restart
>>> squid I get in my access.log file:
>>> ERROR: No forward-proxy ports configured.
>>>
>>> If I where to then browse, nothing happens.
>>>
>>> I am not running iptables by the way.
>> iptables or some other NAT system is mandatory for getting the traffic
>> to an intercept port. Squid is fetching the TCP details from the kernel
>> NAT records and using that as the preferred destination on outbound
>> connections.
>>
>> As for the tutorial. It is broken in several major ways. Which for a
>> 8-line example is remarkable in itself. Consider following the official
>> wiki configuration example instead
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
>>
>>
>> * The "transparent" option has been deprecated by "intercept" option
>> since 2010.
>>
>> * Using DNAT rules without matching SNAT rules prevents TCP reply
>> packets working at all. Im not surprised half teh comments are about it
>> "not working".
>>
>> * Having both REDIRECT and DNAT rules on the same box is overkill
>> anyway. DNAT is best for machines with a static IP address, REDIRECT for
>> machines with dynamically assigned IP address or if writing examples for
>> complete newbies.
>>
>> * Using port 3128 for the intercept port is a very BAD idea. There are
>> active attacks in the wild scanning for open proxy ports and intercept
>> without firewall protection on the port is ripe for attack. It should be
>> a secret port which you can firewall away from all access beyond the
>> machine itself. Only the NAT firewall and Squid need to use it.
>>
>>
>> HTH
>> Amos
Received on Sat Nov 30 2013 - 12:46:10 MST

This archive was generated by hypermail 2.2.0 : Sat Nov 30 2013 - 12:00:05 MST