Bruno,
Yes, there is; This was also my first guess, but according to similar questions in forums and such, access.log lists such cases as TCP_DENIED/403 rather than TCP_MISS/403.
I've also tried removing the ACL entry after your message, and indeed the message changes to TCP_DENIED/403. So it's unlikely for it to be an ACL related issue.
Ty.
2016-07-20 17:08 GMT-03:00 Bruno de Paula Larini <bruno.larini@xxxxxxxxxxxxxx>:
Just a basic question: is there an ACL allowing your hosts in squid.conf? Squid will promptly answer with a 403 error otherwise.
Em 20/07/2016 16:42, Guilherme Scaglia escreveu:
Hi.
I've being trying to setup a local squid server on my home LAN to cache HTTP (not HTTPS) pages. I want to avoid any client configuration, so I'm aiming for a transparent proxy - with squid in intercept mode.
In my network setup, the squid server is inside the LAN together with its clients, and not siting between the clients and the router/modem like all guides assume. Furthermore, requests originating from the same machine where squid is running should be cached as well.
I've setup squid inside a docker container, on a fedora 24 image. The squid version is 3.5.19. On squid.conf I've added a new http_port line, for port 8080 with the intercept flag:http_port 8080 intercept
My router is a Mikrotik router board, so it's trivial to setup a DNAT rule to redirect all TCP requests to the squid server. To avoid forward loops, I've marked all packets originating from squid with DSCP 4 using iptables rules, and excluded those from the DNAT rule on the router. I've tested this by running wget requests from inside the docker container, and those went by without any redirection.
Now comes the problem:When any of the redirected requests reach squid, squid will reply instantly with TCP_MISS/403. Since all traffic from the squid machine is marked with a specific DSCP, it's also easy to see squid made no requests to the outside world before giving that reply. Running tcpdump on the host machine shows no other packets are being sent other than the 403 reply.
What's happening? why doesn't squid tries to fetch the request pages at all?
From my understanding, my setup is roughly equivalent to http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat, only the DNAT is happening outside the squid box; There is no reason this should interfere with anything.
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute seens to recommend routing without DNAT; This seems weird, as the only way I can see this working is if the squid machine accepted packets to any address as their own.
TL;DR:When running squid in intercept mode, inside a docker container, routing traffic to it through dst-nat rules on a external router, squid will reply with '403 forbidden' to all requests. Access.log lists TCP_MISS/403, but tcpdump indicates that squid is never trying to query the requested page at all.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users