On Mon, 22 Jun 2009 15:11:28 +0100, Adam Jackson <adamjacksonuk@xxxxxxxxx> wrote: > On Mon, Jun 22, 2009 at 12:24 PM, Amos Jeffries > <squid3@xxxxxxxxxxxxx>wrote: > >> Adam Jackson wrote: >> >>> Hi Squid users, >>> >>> I'm trying to set Squid up to function as a transparent proxy without >>> success. I've got Squid 3 stable release 16. I'm running as root with >>> the cache_effective_user as squid (the owner of the squid directories >>> is squid). >>> >>> I've setup iptables so that port 80 traffic gets sent to 3128 where >>> the client connects >>> >>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT >>> --to-port 3128 >>> >>> Firefox reports that the proxy refused connection. tcpdump indicates >>> that the proxy does receive some packets on 3128 and there are no >>> other obstructive firewall rules. I don't know a great deal about >>> iptables but should I also have a rule that sends requests received on >>> 3128 out of port 80 to the requested web server? The rule above only >>> redirects retrieved pages, if I understand correctly? >>> >>> >> There are a minimum of 3 iptables rules for interception... >> >> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect >> >> >> >>> Here is my squid.conf: >>> >>> acl manager proto cache_object >>> acl localhost src 127.0.0.1/32 >>> acl to_localhost dst 127.0.0.0/8 >>> #client IP below >>> acl localnet src 10.112.0.221/32 # RFC1918 possible internal network >>> >> >> This being the actual IP of the one and only host you are sending >> requests >> from. right? > > ** yes 1 and only host *** > >> >> >> acl SSL_ports port 443 >>> acl Safe_ports port 80 # http >>> acl Safe_ports port 21 # ftp >>> acl Safe_ports port 443 # https >>> acl Safe_ports port 70 # gopher >>> acl Safe_ports port 210 # wais >>> acl Safe_ports port 1025-65535 # unregistered ports >>> acl Safe_ports port 280 # http-mgmt >>> acl Safe_ports port 488 # gss-http >>> acl Safe_ports port 591 # filemaker >>> acl Safe_ports port 777 # multiling http >>> acl CONNECT method CONNECT >>> >>> http_access allow manager localhost >>> http_access deny manager >>> http_access deny !Safe_ports >>> http_access deny CONNECT !SSL_ports >>> http_access deny to_localhost >>> >>> http_access allow localnet >>> >>> http_access deny all >>> >>> icp_access allow localnet >>> icp_access deny all >>> >>> htcp_access allow localnet >>> htcp_access allow all >>> >>> http_port 3128 transparent >>> >>> hierarchy_stoplist cgi-bin ? >>> >>> access_log /usr/local/squid/var/logs/access.log squid >>> >>> refresh_pattern ^ftp: 1440 20% 10080 >>> refresh_pattern ^gopher: 1440 0% 1440 >>> refresh_pattern (cgi-bin|\?) 0 0% 0 >>> refresh_pattern . 0 20% 4320 >>> >>> cache_effective_user squid >>> >>> icp_port 3130 >>> >>> coredump_dir /usr/local/squid/var/cache >>> >>> >>> >>> Thanks. >>> >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 >> Current Beta Squid 3.1.0.8 > > > Hi Amos, > > Thanks for the reply. Following the iptables instructions you pointed to > results in: > Not found > > The requested URL /ConfigExamples/Intercept/LinuxRedirect was not found on > this server. > I seem to remember reading that in older versions of squid this occurred > if > an option for dealing with headers wasn't active, but this has been > superseded by 'transparent' keyword in squid 3.0? Correct memory. But resolved in the very early releases. Your config of: ... -j REDIRECT --to-port 3128 ... http_port 3128 transparent Should be working. (Though personally I'd use a different random port to reduce normal proxy requests coming into it). So it looks like the packets are getting to Squid. Where something has gone completely awry :( Amos
