My goal is to create a transparent proxy using docker container for each
user, so I don't need to configure manual proxy setting in user.
*So this is what I want:*
1. Guest login to the system (done)
2. After login, system noted ID and IP (done)
3. In other machine (I call it "server docker"), I create a container with
--name ID and IP and --publish specific port from the guest (done)
4. Create iptables for the user with specific IP and PORT (done, but I'm
5. If guest want to connect to the internet, guest must be through that
container (not yet)
ID : 5114100100
IP CLIENT : 10.151.36.227
IP server docker : 10.151.36.134
PORT : 9001
*First step: I create an image*
docker run -d -it --net bridge --name 5114100100_10.151.36.227 --publish
On 20/04/18 04:05, fourirakbar wrote:
> I'm using Squid version 3.5
> My goal is to create a transparent proxy using docker container for each
> user, so I don't need to configure manual proxy setting in user.
Why have a different proxy per-user instead of a shared proxy?
The point of proxying is generally one of two use-cases:
1) centralized access control. Per-user proxies are not centralized.
2) caching. Which is done by the users Browser. Middle proxies like
Squid adds nothing for an individual.
> *So this is what I want:*
> 1. Guest login to the system (done)
> 2. After login, system noted ID and IP (done)
> 3. In other machine (I call it "server docker"), I create a container with
> --name ID and IP and --publish specific port from the guest (done)
> 4. Create iptables for the user with specific IP and PORT (done, but I'm
> not sure)
> 5. If guest want to connect to the internet, guest must be through that
> container (not yet)
> ID : 5114100100
> IP CLIENT : 10.151.36.227
> IP server docker : 10.151.36.134
> PORT : 9001
> *First step: I create an image*
> docker run -d -it --net bridge --name 5114100100_10.151.36.227 --publish
> 9001:3128 fourirakbar/debian-squid:version2
> *Second step: I create rules with iptables*
> iptables -t nat -A PREROUTING -i wlp3s0 -s 10.151.36.227 -p tcp --dport
> 80 -j DNAT --to 10.151.36.134:9001
> iptables -t nat -A PREROUTING -i wlp3s0 -s 10.151.36.134 -p tcp --dport
> 443 -j DNAT --to 10.151.36.134:9001
Not possible. Squid requires access to the OS NAT tables. It cannot do
that when the NAT tables are on a different machine/VM/container.
You must *route* traffic to the Squid machine/container.
> *first my squid.conf in container*
> visible_hostname X450LD
> http_port 3128
> http_access allow all
Very broken, and kind of pointless;
* you are not doing any kind of control at all, and
* caching does not work at all well because it is per-user, and
* the most you will get out of this is logs. BUT with NAT happening
outside the container the log contents will be lies.
> *Then, if I set proxy setting manual in browser client (I use firefox)*
> HTTP Proxy 10.151.36.134
> Port 9001
> it's working fine
Because this proxy is setup as a forward-proxy ONLY.
> Now here's the problem:
> I want to make in transparent. I tried every tutorial / github other user
> and I make squid.conf in container like this:
> acl SUBNETAJK src 10.151.36.0/24
> acl client1 src 10.151.36.227
> http_port 3128
> http_port 3129 intercept
> http_access allow SUBNETAJK
> http_access deny all
> http_access deny CONNECT !SSL_ports
> http_access deny !Safe_ports
> never_direct allow all
> When I try to open http website like `elearning.if.its.ac.id` or
> `monta.if.its.ac.id`, it got error *unable to forward this request at this
Because "never_direct allow all" forbids the proxy from looking up where
traffic is supposed to be going. It is only permitted to send traffic
through a cache_peer ... of which you have zero.