On 11/30/2013 03:33 PM, Monah Baki wrote:
Hi Amos,
Thanks for the explanation. I switched to intercept yet once I restart
squid, I am still seeing the "No forward proxy ports configured".
The same machine later on will also be running IPtables since it has 2
NIC's in it.
You need both one 'intercept' and one 'forward proxy' port in config
even if you don't use forward proxy:
http_port 3129
http_port 3128 intercept
Monah
On Sat, Nov 30, 2013 at 4:56 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 30/11/2013 10:26 a.m., Monah Baki wrote:
Hi all,
I'm trying to setup a transparent proxy squid 3.3.9 using the following URL:
http://www.broexperts.com/2013/03/squid-as-transparent-proxy-on-centos-6-4/
What's the difference between
http_port 3128 transparent
The above expects all arriving traffic to be in HTTP port 80 origin
server format. Used for receving intercept-proxy traffic.
Also, the TCP level details are assumed to have passed through some form
of NAT system and need to be un-NAT'd before use. In Squid since 3.2 if
the original TCP details are not found in the NAT records some
restrictions are placed on what happens with the request and response.
and
http_port 3128
This one expects all arriving traffic to be an HTTP proxy format. Used
for receiving forward-proxy traffic.
If I where to configure with http_port 3128 transparent and restart
squid I get in my access.log file:
ERROR: No forward-proxy ports configured.
If I where to then browse, nothing happens.
I am not running iptables by the way.
iptables or some other NAT system is mandatory for getting the traffic
to an intercept port. Squid is fetching the TCP details from the kernel
NAT records and using that as the preferred destination on outbound
connections.
As for the tutorial. It is broken in several major ways. Which for a
8-line example is remarkable in itself. Consider following the official
wiki configuration example instead
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
* The "transparent" option has been deprecated by "intercept" option
since 2010.
* Using DNAT rules without matching SNAT rules prevents TCP reply
packets working at all. Im not surprised half teh comments are about it
"not working".
* Having both REDIRECT and DNAT rules on the same box is overkill
anyway. DNAT is best for machines with a static IP address, REDIRECT for
machines with dynamically assigned IP address or if writing examples for
complete newbies.
* Using port 3128 for the intercept port is a very BAD idea. There are
active attacks in the wild scanning for open proxy ports and intercept
without firewall protection on the port is ripe for attack. It should be
a secret port which you can firewall away from all access beyond the
machine itself. Only the NAT firewall and Squid need to use it.
HTH
Amos