On 13/08/2014 4:33 p.m., agent_js03 wrote: > Hello, > > I am having trouble with my squid setup. Here is exactly what I am trying to > do: I am setting up a VPN server and I want all VPN traffic to be > transparently proxied by squid with ssl bumping enabled. Right now when I > try to do this I get an access denied page from the client. > > Here are lines from my squid.conf: > > ================================================= > acl localnet src 192.168.1.0/24 # local network > acl localnet src 192.168.3.0/24 # vpn network > http_access allow localnet > http_access allow localhost > http_access deny all > http_port 192.168.1.145:3127 intercept > http_port 192.168.1.145:3128 intercept ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > key=/etc/squid3/ssl/private.pem cert=/etc/squid3/ssl/public.pem > always_direct allow all > ssl_bump allow all > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER > sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB > sslcrtd_children 5 > > ================================================= > > Here are my iptables rules: > > ================================================= > sysctl -w net.ipv4.ip_forward=1 > iptables -F > iptables -t nat -F > > # transparent proxy for vpn > iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j DNAT > --to-destination 192.168.1.145:3127 > iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 443 -j DNAT > --to-destination 192.168.1.145:3128 > > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > iptables --table nat --append POSTROUTING --out-interface ppp+ -j MASQUERADE > iptables -I INPUT -s 192.168.3.0/24 -i ppp+ -j ACCEPT > iptables --append FORWARD --in-interface eth0 -j ACCEPT > > ================================================= > > > When I connect to VPN and try to browse the web I get the following error in > /etc/squid3/cache.log on the vpn server: > > 2014/08/12 21:21:02 kid1| ERROR: No forward-proxy ports configured. > 2014/08/12 21:21:02 kid1| WARNING: Forwarding loop detected for: > GET /Artwork/SN.png HTTP/1.1 > Host: www.squid-cache.org > User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 > Firefox/30.0 > Accept: image/png,image/*;q=0.8,*/*;q=0.5 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Referer: http://www.google.com/ > Via: 1.1 localhost (squid/3.2.11) > X-Forwarded-For: 127.0.0.1 > Cache-Control: max-age=259200 > Connection: keep-alive > > > 2014/08/12 21:21:02 kid1| ERROR: No forward-proxy ports configured. > > > > I am wondering about this erro "No forward-proxy ports configured." What do > I need to change about my squid.conf that would allow me to do transparent > proxying? 1) "ERROR: No forward-proxy ports configured." This is getting to be a FAQ. I've added a wiki page about it. http://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts 2) "WARNING: Forwarding loop detected for:" This is a side effect of the above problem. Forwarding loop fetching the error page artwork directly from a intercept port. Amos
