I'm using Squid version 3.5
My goal is to create a transparent proxy using docker container for each
user, so I don't need to configure manual proxy setting in user.
*So this is what I want:*
1. Guest login to the system (done)
2. After login, system noted ID and IP (done)
3. In other machine (I call it "server docker"), I create a container with
--name ID and IP and --publish specific port from the guest (done)
4. Create iptables for the user with specific IP and PORT (done, but I'm
not sure)
5. If guest want to connect to the internet, guest must be through that
container (not yet)
*Example:*
ID : 5114100100
IP CLIENT : 10.151.36.227
IP server docker : 10.151.36.134
PORT : 9001
*First step: I create an image*
docker run -d -it --net bridge --name 5114100100_10.151.36.227 --publish
9001:3128 fourirakbar/debian-squid:version2
*Second step: I create rules with iptables*
iptables -t nat -A PREROUTING -i wlp3s0 -s 10.151.36.227 -p tcp --dport
80 -j DNAT --to 10.151.36.134:9001
iptables -t nat -A PREROUTING -i wlp3s0 -s 10.151.36.134 -p tcp --dport
443 -j DNAT --to 10.151.36.134:9001
*first my squid.conf in container*
visible_hostname X450LD
http_port 3128
http_access allow all
*Then, if I set proxy setting manual in browser client (I use firefox)*
HTTP Proxy 10.151.36.134
Port 9001
it's working fine
===================================
Now here's the problem:
I want to make in transparent. I tried every tutorial / github other user
and I make squid.conf in container like this:
acl SUBNETAJK src 10.151.36.0/24
acl client1 src 10.151.36.227
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 445 # windows update
acl CONNECT method CONNECT
http_port 3128
http_port 3129 intercept
http_access allow SUBNETAJK
http_access deny all
http_access deny CONNECT !SSL_ports
http_access deny !Safe_ports
never_direct allow all
cache_mem 64 MB
cache_swap_low 98
cache_swap_high 99
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
shutdown_lifetime 1 second
visible_hostname X450LD
*Then I change `--publsh to 3129`. I run again `docker run` like this:*
docker run -d -it --net bridge --name 5114100123_10.151.36.227 --publish
9001:3129 fourirakbar/debian-squid:version2
And I didn't change rules of iptables. If I do `iptables -t nat -L` in
server docker like this:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE
match dst-type LOCAL
DNAT tcp -- 10.151.36.227 anywhere tcp
dpt:https to:10.151.36.134:9001
DNAT tcp -- 10.151.36.227 anywhere tcp
dpt:http to:10.151.36.134:9001
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE
match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE all -- 172.18.0.0/16 anywhere
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp
dpt:3129
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere anywhere tcp
dpt:9001 to:172.17.0.2:3129
When I try to open http website like `elearning.if.its.ac.id` or
`monta.if.its.ac.id`, it got error *unable to forward this request at this
time*
Anyone know how to fix this? I wonder that someone can help me
Thankyou very much
And this is access.log
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377437/accesslog.png>
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
