When I have squid set to act as a normal proxy (http_port 3128) and set
my browser to use squid as a proxy, things work just fine.
When I set squid transparent (http_port 3128 intercept) and then
redirect normal outbound port 80 traffic to squid (with my browser
unaware that it's being proxied), squid goes through the three way
handshake process, gets my request, and dumps me:
$ curl -v http://www.darkmaze.org
* Adding handle: conn: 0x801c63600
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x801c63600) send_pipe: 1, recv_pipe: 0
* About to connect() to www.darkmaze.org port 80 (#0)
* Trying 66.199.250.235...
* Connected to www.darkmaze.org (66.199.250.235) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.31.0
> Host: www.darkmaze.org
> Accept: */*
>
* Empty reply from server
* Connection #0 to host www.darkmaze.org left intact
curl: (52) Empty reply from server
I compiled squid myself with the following parameters:
Squid Cache: Version 3.3.8
configure options: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--enable-internal-dns' '--disable-strict-error-checking'
'--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid'
'--localstatedir=/var' '--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid' '--disable-dependency-tracking'
'--enable-arp-acl' '--enable-follow-x-forwarded-for'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter'
'--enable-referer-log' '--enable-removal-policies=heap,lru'
'--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs'
'--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--with-aio'
'--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl'
'--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie'
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'
'--enable-ecap' '--enable-http-violations'
'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig' --enable-ltdl-convenience
I tried gutting my acls to see if that might have an effect, but it did
not. Am I encountering some kind of bug, or merely doing something
colossally stupid? See config, below:
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports
http_access allow all
http_port 3128 intercept
#http_port 3128
coredump_dir /var/cache/squid
forwarded_for transparent
via off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320