Search squid archive

Re: Squid Transparent/intercept Issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





One more thing,
Does this implies using two NICs (Network Interface Cards)?
And the squid server has to be in-between clients and the internet?

Regards




On Tue, Mar 21, 2017 at 5:29 PM, christian brendan <bosscb.chrisbren@xxxxxxxxx> wrote:
Thanks a lot for the information.
I will try this and give feedback.
Best Regards

On Tue, Mar 21, 2017 at 1:00 PM, <squid-users-request@lists.squid-cache.org> wrote:
Send squid-users mailing list submissions to
        squid-users@lists.squid-cache.org

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
        squid-users-request@xxxxxxxxxxd-cache.org

You can reach the person managing the list at
        squid-users-owner@lists.squid-cache.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."


Today's Topics:

   1. Re: Squid Transparent/intercept Issues (Antony Stone)


----------------------------------------------------------------------

Message: 1
Date: Tue, 21 Mar 2017 12:12:01 +0100
From: Antony Stone <Antony.Stone@xxxxxxxxxx.source.it>
To: squid-users@lists.squid-cache.org
Subject: Re: Squid Transparent/intercept Issues
Message-ID: <201703211212.01346.Antony.Stone@xxxxxxxxxxxxxxxxxxxx>
Content-Type: Text/Plain;  charset="utf-8"

On Tuesday 21 March 2017 at 12:00:05, christian brendan wrote:

> > Today's Topics:
> >    1. Re: Squid Transparent/intercept Issues (Antony Stone)
> >    2. Re: SMP and AUFS (Matus UHLAR - fantomas)
> >    3. Re: SMP and AUFS (Alex Rousskov)
> >    4. Re: squid workers question (Alex Rousskov)
> >    5. Re: squid workers question (Matus UHLAR - fantomas)
> >    6. Re: SSL Bump issues (Alex Rousskov)
> >    7. blocking or allowing specific youtube videos (Sohan Wijetunga)

Please edit your reply when responding to a digest email, deleting everything
not specific to your question.

> > Date: Mon, 20 Mar 2017 16:56:17 +0100
> > From: Antony Stone
> > To: squid-users@lists.squid-cache.org
> > Subject: Re: Squid Transparent/intercept Issues
> >
> > On Monday 20 March 2017 at 16:26:40, christian brendan wrote:
> > > Hello Everyone,
> > >
> > > Squid Cache: Version 3.5.20
> > > OS: CentOS 7
> > >
> > > I have used squid for quite some times non transparently and it works,
> > > problem kicks in when: http_port 3128 transparent is enabled.
> > > Access denied error page shows up when transparent is enabled
> > > ERRORThe requested URL could not be retrieved
> >
> > How are you getting the packets to the Squid server for interception?
> >
> > Is the Squid server in the default route between your clients and the
> > Internet, or are you redirecting the packets to the Squid server somehow?
> >
> > Please give *details* of how you are intercepting and sending the packets
> > to Squid (eg: iptables rules, and which machine/s the rules are running
> > on).
> >
> >
> > Antony.

> ​@Antony.Stone
> 1. ​I am using mikrotik routerboard to redirect traffic, with this rule:
> dd action="" chain=dstnat comment="Redirect port 80 to SquidProxy"
> dst-port=80 protocol=tcp \ src-address=10.24.7.100 to-addresses=10.24.7.101
> to-ports=3128

Okay, so there's your problem, then.

You must not use DSTNAT on a separate router to send packets to Squid for
intercept.

(This used to work in older versions of Squid, but does not work any more and
is documented on the wiki, for example at
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat )

Note the wording: "NOTE: This configuration is given for use on the squid box."
That means the NAT rules *must* be running on the Squid box itself and not (in
your case) on the Mikrotik router.

> 3.​ It is not in default route, packets is been redirected.

In that case you need to use policy routing to get the packets *unchanged* to
the Squid box - see the above link, and also
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

> ​4. There is no iptable rules, firewall is disabled for this test.

You have to have a REDIRECT rule on the machine running Squid to get it to see
the packets (once they are no longer being DNATted).

Please try to follow the guidelines at
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat and
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute and
then come back to us with details of what you've tried, if there are still
problems.


Regards,


Antony.

--
A user interface is like a joke.
If you have to explain it, it didn't work.

                                                   Please reply to the list;
                                                         please *don't* CC me.


------------------------------

Subject: Digest Footer

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


------------------------------

End of squid-users Digest, Vol 31, Issue 61
*******************************************


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux