Greetings, I'm trying to setup a transparent proxy on Squid 3.3.8, Ubuntu Trusty 14.04 from the official APT official repository. All boxes including the Squid box are under the same router, but the squid box is on a different server than the clients. Seems that for some reason the configuration on the squid3 box side is missing something, as a forwarding loop is produced. This is the configuration of the squid3 box: visible_hostname squidbox.localdomain.com acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow all http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost http_access allow all http_port 3128 intercept http_port 0.0.0.0:3127 This rule has been added to the client's boxes: iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:3128 192.168.1.100 corresponds to the squid3 box. In the log below 192.168.1.20 is one of the clients. 2014/08/06 15:13:05| Starting Squid Cache version 3.3.8 for x86_64-pc-linux-gnu... 2014/08/06 15:13:27.900| client_side.cc(2316) parseHttpRequest: HTTP Client local=192.168.1.100:3128 remote=192.168.1.20:54341 FD 8 flags=33 2014/08/06 15:13:27.901| client_side.cc(2317) parseHttpRequest: HTTP Client REQUEST: --------- GET / HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: PREF=ID=119a6e25e6eccb3b:U=95e37afd611b606e:FF=0:TM=1404500940:LM=1404513627:S=r7E-Xed2muOOp-ay; NID=67=M5geOtyDtp5evLidOfam1uzfhl6likehxjXo7KcamK8c5jXptfx9zJc-5L7jhvYvnfTvtXYJ3yza7cE8fRq2x0iyVEHN9Pn2hz9urrC_Qt_xNH6IQCoT-3-eXTwb2h4f; OGPC=5-25: Connection: keep-alive Pragma: no-cache Cache-Control: no-cache ---------- 2014/08/06 15:13:27.902| http.cc(2204) sendRequest: HTTP Server local=192.168.1.100:43140 remote=192.168.1.100:3128 FD 11 flags=1 2014/08/06 15:13:27.902| http.cc(2205) sendRequest: HTTP Server REQUEST: --------- GET / HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: PREF=ID=119a6e25e6eccb3b:U=95e37afd611b606e:FF=0:TM=1404500940:LM=1404513627:S=r7E-Xed2muOOp-ay; NID=67=M5geOtyDtp5evLidOfam1uzfhl6likehxjXo7KcamK8c5jXptfx9zJc-5L7jhvYvnfTvtXYJ3yza7cE8fRq2x0iyVEHN9Pn2hz9urrC_Qt_xNH6IQCoT-3-eXTwb2h4f; OGPC=5-25: Via: 1.1 squidbox.localdomain.com (squid/3.3.8) Connection: keep-alive Pragma: no-cache Cache-Control: no-cache ---------- 2014/08/06 15:13:27.902| client_side.cc(2316) parseHttpRequest: HTTP Client local=192.168.1.100:3128 remote=192.168.1.100:43140 FD 13 flags=33 2014/08/06 15:13:27.902| client_side.cc(2317) parseHttpRequest: HTTP Client REQUEST: --------- GET / HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: PREF=ID=119a6e25e6eccb3b:U=95e37afd611b606e:FF=0:TM=1404500940:LM=1404513627:S=r7E-Xed2muOOp-ay; NID=67=M5geOtyDtp5evLidOfam1uzfhl6likehxjXo7KcamK8c5jXptfx9zJc-5L7jhvYvnfTvtXYJ3yza7cE8fRq2x0iyVEHN9Pn2hz9urrC_Qt_xNH6IQCoT-3-eXTwb2h4f; OGPC=5-25: Via: 1.1 squidbox.localdomain.com (squid/3.3.8) Connection: keep-alive Pragma: no-cache Cache-Control: no-cache ---------- 2014/08/06 15:13:27.903| client_side.cc(1377) sendStartOfMessage: HTTP Client local=192.168.1.100:3128 remote=192.168.1.100:43140 FD 13 flags=33 2014/08/06 15:13:27.903| client_side.cc(1378) sendStartOfMessage: HTTP Client REPLY: --------- HTTP/1.1 403 Forbidden Server: squid/3.3.8 Mime-Version: 1.0 Date: Fri, 18 Jul 2014 10:33:27 GMT Content-Type: text/html Content-Length: 3932 X-Squid-Error: ERR_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en-US X-Cache: MISS from squidbox.localdomain.com X-Cache-Lookup: MISS from squidbox.localdomain.com:3127 Via: 1.1 squidbox.localdomain.com (squid/3.3.8) Connection: keep-alive ---------- 2014/08/06 15:13:27.903| ctx: enter level 0: 'http://www.google.com/' 2014/08/06 15:13:27.903| http.cc(761) processReplyHeader: HTTP Server local=192.168.1.100:43140 remote=192.168.1.100:3128 FD 11 flags=1 2014/08/06 15:13:27.903| http.cc(762) processReplyHeader: HTTP Server REPLY: --------- *Access denied page* Squid3 is trying to connect to itself, why? No other iptables rules are added neither on the client or server side. What could be causing this loop? James
