Hi Roberto, El 23/07/2014 20:54, Roberto O. Fernández Crisial escribió:
Hi guys, I hope you're doing fine. I'm trying to intercept HTTP requests on Squid 3.4.6 but I'm going crazy. Is there any http_port parameter change between 3.1.10 and 3.4.6? I have 3.1.10 working fine, here are the examples: IPTABLES CONFIGURATION (Global config) -A PREROUTING -s 10.1.0.0/16 -p tcp -m tcp --dport 80 -j DNAT --to-destination SQUIDIP:3129 With Squid 3.1.10 SQUID CONF http_port 3128 transparent http_port 3129 intercept START SQUID 3.1.10 2014/07/23 16:06:38| Accepting intercepted HTTP connections at 0.0.0.0:3128, FD 12. 2014/07/23 16:06:38| Accepting intercepted HTTP connections at 0.0.0.0:3129, FD 13. CURL curl http://www.ciudad.com.ar -x http://SQUIDIP:80 STRACE accept(13, {sa_family=AF_INET, sin_port=htons(34330), sin_addr=inet_addr("10.1.100.158")}, [16]) = 9 getsockname(9, {sa_family=AF_INET, sin_port=htons(3129), sin_addr=inet_addr("SQUIDIP")}, [16]) = 0 connect(15, {sa_family=AF_INET6, sin6_port=htons(80), inet_pton(AF_INET6, "::ffff:200.42.143.77", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EINPROGRESS (Operation now in progress) STOP SQUID 3.1.10 Now with Squid 3.4.6 SQUID CONF http_port 3128 http_port 3129 intercept START SQUID 3.4.6 2014/07/23 16:06:05| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 19 flags=9 2014/07/23 16:06:05| Accepting NAT intercepted HTTP Socket connections at local=[::]:3129 remote=[::] FD 20 flags=41 CURL curl http://www.ciudad.com.ar -x http://SQUIDIP:80 STRACE accept(20, {sa_family=AF_INET6, sin6_port=htons(34428), inet_pton(AF_INET6, "::ffff:10.1.100.158", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 8 getsockname(8, {sa_family=AF_INET6, sin6_port=htons(3129), inet_pton(AF_INET6, "::ffff:SQUIDIP", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0 connect(10, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("SQUIDIP")}, 16) = -1 EINPROGRESS (Operation now in progress) STOP SQUID 3.4.6 I see in Squid 3.4.6 the squid process tries to conect to itself on port 80. With Squid 3.1.10 works fine (connets to reomte server). Any ideas? Thank you all in advance. Best,
In my case I'm running v. 3.3.8, but I'm having the same issue than you. The packets are correctly DNATed from the client to the squid box, but once there, squid3 seems to try to connect to itself several times and keeps adding its 'visible_hostname' to the Via header, causing a forwarding loop.
I've followed these instructions to achieve it: http://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource
Recently, the document got updated adding a new iptables OUTPUT rule, you could try and see if it works to you (it didn't work to me, though).
Regards, Nicolás