Intercept Squid Proxy with Docker

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Intercept Squid Proxy with Docker

fourirakbar
I'm using Squid version 3.5

My goal is to create a transparent proxy using docker container for each
user, so I don't need to configure manual proxy setting in user.

*So this is what I want:*
  1. Guest login to the system (done)
  2. After login, system noted ID and IP (done)
  3. In other machine (I call it "server docker"), I create a container with
--name ID and IP and --publish specific port from the guest (done)
  4. Create iptables for the user with specific IP and PORT (done, but I'm
not sure)
  5. If guest want to connect to the internet, guest must be through that
container (not yet)

*Example:*
 ID : 5114100100
 IP CLIENT : 10.151.36.227
 IP server docker : 10.151.36.134
 PORT : 9001

*First step: I create an image*
    docker run -d -it --net bridge --name 5114100100_10.151.36.227 --publish
9001:3128 fourirakbar/debian-squid:version2

*Second step: I create rules with iptables*
    iptables -t nat -A PREROUTING -i wlp3s0 -s 10.151.36.227 -p tcp --dport
80 -j DNAT --to 10.151.36.134:9001
    iptables -t nat -A PREROUTING -i wlp3s0 -s 10.151.36.134 -p tcp --dport
443 -j DNAT --to 10.151.36.134:9001

*first my squid.conf in container*
    visible_hostname X450LD
    http_port 3128
    http_access allow all

*Then, if I set proxy setting manual in browser client (I use firefox)*
    HTTP Proxy 10.151.36.134
    Port 9001

it's working fine
===================================

Now here's the problem:

I want to make in transparent. I tried every tutorial / github other user
and I make squid.conf in container like this:

    acl SUBNETAJK src 10.151.36.0/24
    acl client1 src 10.151.36.227
   
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 445 # windows update
    acl CONNECT method CONNECT
   
    http_port 3128
    http_port 3129 intercept
    http_access allow SUBNETAJK
    http_access deny all
    http_access deny CONNECT !SSL_ports
    http_access deny !Safe_ports
   
    never_direct allow all
   
    cache_mem 64 MB
    cache_swap_low 98
    cache_swap_high 99
   
    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern .               0       20%     4320

    shutdown_lifetime 1 second
    visible_hostname X450LD

*Then I change `--publsh to 3129`. I run again `docker run` like this:*

    docker run -d -it --net bridge --name 5114100123_10.151.36.227 --publish
9001:3129 fourirakbar/debian-squid:version2

And I didn't change rules of iptables. If I do `iptables -t nat -L` in
server docker like this:

    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination        
    DOCKER     all  --  anywhere             anywhere             ADDRTYPE
match dst-type LOCAL
    DNAT       tcp  --  10.151.36.227        anywhere             tcp
dpt:https to:10.151.36.134:9001
    DNAT       tcp  --  10.151.36.227        anywhere             tcp
dpt:http to:10.151.36.134:9001
   
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination        
   
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination        
    DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE
match dst-type LOCAL
   
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination        
    MASQUERADE  all  --  172.17.0.0/16        anywhere            
    MASQUERADE  all  --  172.18.0.0/16        anywhere            
    MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp
dpt:3129
   
    Chain DOCKER (2 references)
    target     prot opt source               destination        
    RETURN     all  --  anywhere             anywhere            
    RETURN     all  --  anywhere             anywhere            
    DNAT       tcp  --  anywhere             anywhere             tcp
dpt:9001 to:172.17.0.2:3129

When I try to open http website like `elearning.if.its.ac.id` or
`monta.if.its.ac.id`, it got error *unable to forward this request at this
time*

Anyone know how to fix this? I wonder that someone can help me
Thankyou very much

And this is access.log
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377437/accesslog.png>



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Intercept Squid Proxy with Docker

Amos Jeffries
Administrator
On 20/04/18 04:05, fourirakbar wrote:
> I'm using Squid version 3.5
>
> My goal is to create a transparent proxy using docker container for each
> user, so I don't need to configure manual proxy setting in user.

Why have a different proxy per-user instead of a shared proxy?

The point of proxying is generally one of two use-cases:

1) centralized access control. Per-user proxies are not centralized.

2) caching. Which is done by the users Browser. Middle proxies like
Squid adds nothing for an individual.


>
> *So this is what I want:*
>   1. Guest login to the system (done)
>   2. After login, system noted ID and IP (done)
>   3. In other machine (I call it "server docker"), I create a container with
> --name ID and IP and --publish specific port from the guest (done)
>   4. Create iptables for the user with specific IP and PORT (done, but I'm
> not sure)
>   5. If guest want to connect to the internet, guest must be through that
> container (not yet)
>
> *Example:*
>  ID : 5114100100
>  IP CLIENT : 10.151.36.227
>  IP server docker : 10.151.36.134
>  PORT : 9001
>
> *First step: I create an image*
>     docker run -d -it --net bridge --name 5114100100_10.151.36.227 --publish
> 9001:3128 fourirakbar/debian-squid:version2
>
> *Second step: I create rules with iptables*
>     iptables -t nat -A PREROUTING -i wlp3s0 -s 10.151.36.227 -p tcp --dport
> 80 -j DNAT --to 10.151.36.134:9001
>     iptables -t nat -A PREROUTING -i wlp3s0 -s 10.151.36.134 -p tcp --dport
> 443 -j DNAT --to 10.151.36.134:9001

Not possible. Squid requires access to the OS NAT tables. It cannot do
that when the NAT tables are on a different machine/VM/container.

You must *route* traffic to the Squid machine/container.

>
> *first my squid.conf in container*
>     visible_hostname X450LD
>     http_port 3128
>     http_access allow all
>

Very broken, and kind of pointless;
* you are not doing any kind of control at all, and
* caching does not work at all well because it is per-user, and
* the most you will get out of this is logs. BUT with NAT happening
outside the container the log contents will be lies.



> *Then, if I set proxy setting manual in browser client (I use firefox)*
>     HTTP Proxy 10.151.36.134
>     Port 9001
>
> it's working fine

Because this proxy is setup as a forward-proxy ONLY.


> ===================================
>
> Now here's the problem:
>
> I want to make in transparent. I tried every tutorial / github other user
> and I make squid.conf in container like this:
>
>     acl SUBNETAJK src 10.151.36.0/24
>     acl client1 src 10.151.36.227
...
>     http_port 3128
>     http_port 3129 intercept
>     http_access allow SUBNETAJK
>     http_access deny all
>     http_access deny CONNECT !SSL_ports
>     http_access deny !Safe_ports
>    
>     never_direct allow all
...
>
> When I try to open http website like `elearning.if.its.ac.id` or
> `monta.if.its.ac.id`, it got error *unable to forward this request at this
> time*
>

Because "never_direct allow all" forbids the proxy from looking up where
traffic is supposed to be going. It is only permitted to send traffic
through a cache_peer ... of which you have zero.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users