Hey, What is the full ICAP server request and response? You need to use a 302 redirect for what you want to work. Eliezer On 08/15/2014 02:32 PM, agent_js03 wrote:
I upgraded to squid 3.3.8 with the same config and iptables and everything now works. I guess intercept just doesn't work with squid 3.2. However now I am having a different issue. I am running a content filter that interfaces with squid through ICAP. I have a blockpage running on the same box at 192.168.1.145:8089 (192.168.1.145 is the IP of the proxy server). If I try to access blocked content from my client, then the ICAP will do a reqmod and change the url to: http://192.168.1.145:8089/blockpage.php?arg1=val1&arg2=val2 etc. This worked flawlessly when I had my browser configured to point directly to the proxy server. But now I am using transparent proxying I have different behavior: if I access blocked content, on the client side I get a "connection reset by peer" error (104) and on the server in the access.log I get a TCP_MISS/502 line. I am wondering why this would be any different with transparent proxying. Based on my configuration, do you think this is a problem with my access control in squid.conf or is it a problem with iptables? Here is my configuration again: *squid.conf* acl localnet src 192.168.1.0/24 # local network acl localnet src 192.168.3.0/24 # vpn network http_access allow localnet http_access allow localhost http_access none all http_port 3128 http_port 3129 intercept http_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid3/ssl/private.pem cert=/etc/squid3/ssl/public.pem always_direct allow all ssl_bump server-first all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5 *iptables* sysctl -w net.ipv4.ip_forward=1 iptables -F iptables -t nat -F # transparent proxy for vpn iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j REDIRECT --to-ports 192.168.1.145:3128 iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 443 -j REDIRECT --to-ports 3128 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables --table nat --append POSTROUTING --out-interface ppp+ -j MASQUERADE iptables -I INPUT -s 192.168.3.0/24 -i ppp+ -j ACCEPT iptables --append FORWARD --in-interface eth0 -j ACCEPT Thanks for all the help. -- View this message in context:http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTP-HTTPS-transparent-proxy-doesn-t-work-tp4667193p4667229.html Sent from the Squid - Users mailing list archive at Nabble.com.
