On 20/04/18 04:05, fourirakbar wrote: > I'm using Squid version 3.5 > > My goal is to create a transparent proxy using docker container for each > user, so I don't need to configure manual proxy setting in user. Why have a different proxy per-user instead of a shared proxy? The point of proxying is generally one of two use-cases: 1) centralized access control. Per-user proxies are not centralized. 2) caching. Which is done by the users Browser. Middle proxies like Squid adds nothing for an individual. > > *So this is what I want:* > 1. Guest login to the system (done) > 2. After login, system noted ID and IP (done) > 3. In other machine (I call it "server docker"), I create a container with > --name ID and IP and --publish specific port from the guest (done) > 4. Create iptables for the user with specific IP and PORT (done, but I'm > not sure) > 5. If guest want to connect to the internet, guest must be through that > container (not yet) > > *Example:* > ID : 5114100100 > IP CLIENT : 10.151.36.227 > IP server docker : 10.151.36.134 > PORT : 9001 > > *First step: I create an image* > docker run -d -it --net bridge --name 5114100100_10.151.36.227 --publish > 9001:3128 fourirakbar/debian-squid:version2 > > *Second step: I create rules with iptables* > iptables -t nat -A PREROUTING -i wlp3s0 -s 10.151.36.227 -p tcp --dport > 80 -j DNAT --to 10.151.36.134:9001 > iptables -t nat -A PREROUTING -i wlp3s0 -s 10.151.36.134 -p tcp --dport > 443 -j DNAT --to 10.151.36.134:9001 Not possible. Squid requires access to the OS NAT tables. It cannot do that when the NAT tables are on a different machine/VM/container. You must *route* traffic to the Squid machine/container. > > *first my squid.conf in container* > visible_hostname X450LD > http_port 3128 > http_access allow all > Very broken, and kind of pointless; * you are not doing any kind of control at all, and * caching does not work at all well because it is per-user, and * the most you will get out of this is logs. BUT with NAT happening outside the container the log contents will be lies. > *Then, if I set proxy setting manual in browser client (I use firefox)* > HTTP Proxy 10.151.36.134 > Port 9001 > > it's working fine Because this proxy is setup as a forward-proxy ONLY. > =================================== > > Now here's the problem: > > I want to make in transparent. I tried every tutorial / github other user > and I make squid.conf in container like this: > > acl SUBNETAJK src 10.151.36.0/24 > acl client1 src 10.151.36.227 ... > http_port 3128 > http_port 3129 intercept > http_access allow SUBNETAJK > http_access deny all > http_access deny CONNECT !SSL_ports > http_access deny !Safe_ports > > never_direct allow all ... > > When I try to open http website like `elearning.if.its.ac.id` or > `monta.if.its.ac.id`, it got error *unable to forward this request at this > time* > Because "never_direct allow all" forbids the proxy from looking up where traffic is supposed to be going. It is only permitted to send traffic through a cache_peer ... of which you have zero. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
