Search squid archive

Re: transparently proxy squid in a docker container

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 24/02/21 3:14 pm, Justin Michael Schwartzbeck wrote:

Hi all,
For some years I have used squid 3.5 with SSL bump and transparent proxy locally on my laptop. I have been using the following in my squid.conf: 


ssl_bump server-first all
http_port 3128
http_port 3129 intercept
http_port 3130 ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/bluestar.crt key=/etc/squid/ssl/bluestar.pem
So if I want to manually set the proxy on the client side, I use port 3128, but by default all http/https traffic is redirected to port 3129 and 3130, respectively. Here are my iptables rules:
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner root -j RETURN iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner dockeruser -j RETURN iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129 iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner root -j RETURN iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner dockeruser -j RETURN iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130 



These rules are inside the container, yes?
dockeruser is the user that starts the docker container, and proxy is the actual squid user. I didn't know which one I needed a rule for, so I just chose both.
Should be the "effective user" Squid runs as. Apparently "proxy" from that description.
As I said before, this worked great when I was running squid 3.5 on bare metal. Now I am running squid 4 in a docker container. I am seeing the following error many times in the squid logs when I try to use the transparent proxy: 


2021/02/24 01:45:17| WARNING: Forwarding loop detected for:
Something on the network is routing traffic back to Squid. The most common cause is missing or broken policy routing rules on a router.
Be aware that for containers or virtual systems the host OS may be acting as a router for the container. As such it needs policy routing like any other. see <https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute> has details of rules needed, assuming your host OS is a Linux. 


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux