Hi Squid Jedi´s, I am just a little stuck tryng to replace an old Squid 3.1.23 Server on Centos 6 that i use to redirect local web access to port 80 on linux servers to Squid Server. On my Squid 3.1.23 Server on Centos 6 i use http_port 3128 transparent mode and on my Linux servers clients i use iptables to redirect Web traffic as below ( this config works ): Squid Server 3.1.23 : [root@leli squid]# cat squid.conf | egrep -v "^#|^$" acl default_ip req_header x-forward -i "/ipt/SQUID/default/ip" acl default_url dstdom_regex -i "/ipt/SQUID/default/url" acl default_ip2 srcdom_regex -i "/ipt/SQUID/default/ip" http_access allow default_ip default_url acl endereco req_header x-forward -i "/ipt/SQUID/libera/ip" http_access allow endereco acl all_ip req_header x-forward -i "/ipt/SQUID/all/ip" acl all_url dstdom_regex -i "/ipt/SQUID/all/url" acl all_ip2 srcdom_regex -i "/ipt/SQUID/all/ip" http_access allow all_url acl all src all acl manager proto cache_object acl from_localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl GIT_PORT port 9418 # git acl CONNECT method CONNECT acl Safe_ports port 80 acl Safe_ports port 443 acl Safe_ports port 21 # ftp acl GIT_PORT2 port 9418 # git http_access allow manager from_localhost http_access deny manager http_access allow GIT_PORT2 http_access deny !Safe_ports http_access allow CONNECT GIT_PORT http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access allow from_localhost http_access deny all http_port 3128 transparent https_port 3129 transparent intercept cert=/ipt/SQUID/https/squid.crt key=/ipt/SQUID/https/squid.key hierarchy_stoplist cgi-bin ? emulate_httpd_log on logformat squid %tg %6tr %>a %{x-forward}>h %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt access_log /var/log/squid/access.log squid access_log syslog:local0.info squid cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log mime_table /etc/squid/mime.conf pid_filename /var/run/squid.pid acl QUERY urlpath_regex .* cache deny QUERY acl apache rep_header Server ^Apache acl FS_TESTE srcdom_regex -i "/ipt/SQUID/puppet/ip2" cache_mgr tecnologiaseguranca@xxxxxxxxxxxxxxx cache_effective_user squid cache_effective_group squid coredump_dir /var/spool/squid maximum_object_size 0 KB minimum_object_size 0 KB no_cache deny all deny_info 172.20.63.73 webapp_ip [root@leli ~]# iptables -L -n -v -t nat Chain PREROUTING (policy ACCEPT 46M packets, 3068M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 4581K packets, 276M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4581K packets, 276M bytes) pkts bytes target prot opt in out source destination [root@leli ~]# Linux Server Clients ( Centos 5, 6 e 7 ) : [root@montana rules]# cat proxy2.sh #!/bin/bash IPTBIN=$(which iptables) $IPTBIN -t nat -F $IPTBIN -t nat -X #SQUID $IPTBIN -A OUTPUT -s 10.240.68.68 -p tcp --sport 3128 -j ACCEPT #PROXY $IPTBIN -t nat -N PROXYSQUID $IPTBIN -t nat -A OUTPUT -p tcp --dport 80 -j PROXYSQUID $IPTBIN -t nat -A OUTPUT -p tcp --dport 443 -j PROXYSQUID $IPTBIN -t nat -A PROXYSQUID -d 192.168.0.0/16 -j RETURN $IPTBIN -t nat -A PROXYSQUID -d 189.76.144.0/20 -j RETURN $IPTBIN -t nat -A PROXYSQUID -d 189.76.156.190 -j RETURN $IPTBIN -t nat -A PROXYSQUID -d 172.16.0.0/12 -j RETURN $IPTBIN -t nat -A PROXYSQUID -d 10.0.0.0/8 -j RETURN $IPTBIN -t nat -A PROXYSQUID -p tcp -j DNAT --to-destination=10.240.68.68:3128 [root@montana rules]# iptables -L -n -v -t nat Chain PREROUTING (policy ACCEPT 58M packets, 4835M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2487K packets, 184M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2487K packets, 184M bytes) pkts bytes target prot opt in out source destination 0 0 PROXYSQUID tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 PROXYSQUID tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 Chain PROXYSQUID (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16 0 0 RETURN all -- * * 0.0.0.0/0 189.76.144.0/20 0 0 RETURN all -- * * 0.0.0.0/0 189.76.156.190 0 0 RETURN all -- * * 0.0.0.0/0 172.16.0.0/12 0 0 RETURN all -- * * 0.0.0.0/0 10.0.0.0/8 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 to:10.240.68.68:3128 [root@montana rules]# curl -v www.google.com * About to connect() to www.google.com port 80 * Trying 216.58.222.68... * connected * Connected to www.google.com (216.58.222.68) port 80 > GET / HTTP/1.1 User-Agent: curl/7.12.1 (i686-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6 Host: www.google.com Pragma: no-cache Accept: */* < HTTP/1.0 302 Moved Temporarily < Location: http://www.google.com.br/?gws_rd=cr&ei=FtwdWdaDMYm0wQSWwZ24Ag < Cache-Control: private < Content-Type: text/html; charset=UTF-8 < P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info." < Date: Thu, 18 May 2017 17:38:30 GMT < Server: gws < Content-Length: 262 < X-XSS-Protection: 1; mode=block < X-Frame-Options: SAMEORIGIN < Set-Cookie: NID=103=Vdks002SayhLjRhSWr_ETgZR2-0Hngh7ci-McE8fBhw6vDhAENt6JxWkTKtPKWen7HL-KYjiSNg9lwXnjSCejhv1va4yIUhPpMDYZ-mK4uDb9FQldR1zp3Y1RiOwx4jX; expires=Fri, 17-Nov-2017 17:38:30 GMT; path=/; domain=.google.com; HttpOnly < X-Cache: MISS from leli.rbs.com.br < X-Cache-Lookup: MISS from leli.rbs.com.br:3128 < Via: 1.0 leli.rbs.com.br (squid/3.1.23) * HTTP/1.0 connection set to keep alive! < Connection: keep-alive <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.com.br/?gws_rd=cr&ei=FtwdWdaDMYm0wQSWwZ24Ag">here</A>. </BODY></HTML> * Connection #0 to host www.google.com left intact * Closing connection #0 [root@montana rules]# iptables -L -n -v -t nat Chain PREROUTING (policy ACCEPT 58M packets, 4835M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2487K packets, 184M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2487K packets, 184M bytes) pkts bytes target prot opt in out source destination 1 60 PROXYSQUID tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 PROXYSQUID tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 Chain PROXYSQUID (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 192.168.0.0/16 0 0 RETURN all -- * * 0.0.0.0/0 189.76.144.0/20 0 0 RETURN all -- * * 0.0.0.0/0 189.76.156.190 0 0 RETURN all -- * * 0.0.0.0/0 172.16.0.0/12 0 0 RETURN all -- * * 0.0.0.0/0 10.0.0.0/8 1 60 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 to:10.240.68.68:3128 [root@montana rules]# On my new Squid Server running 3.5.20 on Centos 7 a try to use in many different ways but have no success. I will send my steps on a new reply email in few minutes because the email size. Sorry about all this log of information. Rogério Ceni Coelho Engenheiro de Infraestrutura - Infrastructure Engineer Diretoria de TI e Telecom - Grupo RBS Fone: +55 (51) 3218-6983 Celular: +55 (51) 8186-2933 Claro Celular: +55 (51) 8050-4225 Vivo rogerio.coelho@xxxxxxxxxxxxxxx http://www.gruporbs.com.br Esta mensagem e quaisquer anexos são exclusivamente para o uso da parte endereçada e poderão conter dados privilegiados e confidenciais. Caso o leitor da mensagem não seja a parte a quem ela foi endereçada, nem um representante autorizado da mesma, ficará notificado, por meio desta, que qualquer divulgação desta comunicação é estritamente proibida. Se esta comunicação for recebida erroneamente, por favor, notifique-nos disto imediatamente por e-mail e delete a mensagem e quaisquer anexos a ela de seu sistema. O Grupo RBS pauta sua atuação por seu Código de Ética e Conduta, em conformidade com a Legislação Brasileira. Qualquer situação irregular deve ser informada via Canal de Ética pelo site https://www.contatoseguro.com.br/gruporbs ou 0800 602 1831. Este e-mail e seus anexos podem conter informações confidenciais. Se você recebeu esta mensagem por engano, por favor apague-a e notifique o remetente imediatamente. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users