Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

setuid
I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5,
4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf,
ipf, ipfilter) does not work at all, when configured as a transparent
proxy. Full stop.

I went through hundreds of posts on dozens of forums, blogs and other
resources, tried dozens and dozens of configurations suggested by those
posts, tried all 3 firewall options on BSD, tried two versions of Ubuntu
and the various versions of Squid from the apt repos, as well as those
in BSD's ports.

All of them, 100%, fail in _exactly_ the same way, no matter what my
configuration was set to. That result, is that _every single http
request I make_ when Squid is configured as a transparent proxy, results
in the following response being logged:

======================
        07/Feb/2018:15:10:59 -0500.213      0 192.168.1.1 TAG_NONE/400 3583 GET
/ - HIER_NONE/- text/html ("-" "-")
======================

When I point a client directly at the proxy, using a browser, curl or
anything else, I see:

======================
        07/Feb/2018:15:12:56 -0500.875     82 192.168.1.1 TCP_MISS/302 333 HEAD
http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0")
======================

These were the same exact request against the same exact Squid instance.
If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is
_identical_ for every single http request I make, regardless of origin.

My Squid configuration is 100% default, identical to the generic config,
with the exception of the following lines:

======================
http_port 3128
http_port 3129 intercept
tcp_outgoing_address 192.168.1.25
debug_options ALL,9
======================

I've tried all of the obvious links, blogs and resources I could Google
up, and 100% of them fail to function as described. Most people I've
seen on the forums who attempt to get this working, throw their hands up
in defeat and end up configuring the proxy directly on every client that
needs it.

My current environment looks like this:

[ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ]

That router has a firewall script on it that says:

======================
#!/bin/sh
PROXY_IP=192.168.2.25
PROXY_PORT=3128
LAN_IP=$(nvram get lan_ipaddr)
LAN_NET=$LAN_IP/$(nvram get lan_netmask)

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp
--dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j
DNAT --to $PROXY_IP:$PROXY_PORT

iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j
SNAT --to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
--dport $PROXY_PORT -j ACCEPT
======================

This takes every packet that hits the router on :80, and sends it to my
Squid server on .25, which mangles it and sends it back to 192.168.1.1
(router), and onward back to client who requested it.

When I was using 2.6 (without large_file support), I was using this same
exact configuration, but http_port was set to 'accel', and I didn't need
_any_ NAT/routing rules on the squid side at all. It all "Just Worked(tm)".

Now I need to jump through hoops to do pf incantations of rdr/direct-to
(but direct-to and direct-reply aren't supported on FreeBSD's pf, only
OpenBSD's pf supports that syntax), and iptables PREROUTING and
POSTROUTING mojo (also fails).

Here's a list of some of the resources I've tried, with 100% failure in
every case. There are dozens more that I've lost in my browser history now.

* https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw
*
https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Interception_Caching_packet_redirection_for_OpenBSD_PF
* https://www.benzedrine.ch/transquid.html
*
https://www.unix-experience.fr/2013/create-a-powerfull-proxy-cache-with-squid-and-openbsd-2/
*
https://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
*
https://adilmehmoodbutt.wordpress.com/2014/02/19/how-to-install-squid3-transparent-proxy-server/
* https://veesp.com/en/blog/how-to-setup-squid-on-ubuntu
* https://ubuntuforums.org/showthread.php?t=2210987
*
http://ubuntuserverguide.com/2012/06/how-to-setup-squid3-as-transparent-proxy-on-ubuntu-server-12-04.html
*
http://roberts.bplaced.net/index.php/linux-guides/centos-6-guides/proxy-server/squid-transparent-proxy-http-https

I also tried asking in #squid on Freenode (dead channel), and #FreeBSD
(helpful folks there, but they too, failed to get this working).

So I'm at an impasse. Is this just 100% decoupled from the current
codebase, and doesn't work at all? Or is this really meant to be some
lengthy archaeology to find the right, working solution for getting this
configured in Linux or BSD?

It seems like with the hundreds of posts from people out there failing
to do this correctly, that there's a great opportunity here to a.) make
it work again like it did in v2.6, and b.) document the _precise steps_
required to make it function as a transparent http proxy [eg: install
foo, create file with these exact contents, execute this exact command,
test with this use case, if error message 'bar', do the following ].

Can anyone give me a hand here? I, like so many dozens of others, am
about to just give up and move past this, because it just does not work
anymore.

Help! :D

(Thanks in advance for making it this far in my plea)

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

setuid
On 02/07/2018 04:11 PM, setuid wrote:
> That router has a firewall script on it that says:
> ======================
> #!/bin/sh
> PROXY_IP=192.168.2.25

Yes, this is a typo here in email but is correct in the router's
firewall script.

This should be either 192.168.2.20 or 192.168.1.25; both are Squid
caches inside my LAN on Ubuntu and BSD respectively.

Here's an example of my ipfw rules, for comparison:

======================
$cmd 00700 deny ip from any to any dst-port 3128 via em0
$cmd 00800 fwd 127.0.0.1,3128 tcp from 192.168.1.0/24 to any dst-port 80
via em0
$cmd 00810 fwd 127.0.0.1,3128 ip from any to any dst-port 21 src-ip
192.168.1.0/24
$cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.1
src-ip 192.168.1.0/24
======================

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Yuri Voinov
In reply to this post by setuid
One stupid idiotic question.

Did you build your squid with transparent NAT support?

This is mandatory prerequisite for transparent squid.

I'm not seen your configuration options for squid. Not squid.conf. Just
./configure options.


08.02.2018 03:11, setuid пишет:

> I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5,
> 4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf,
> ipf, ipfilter) does not work at all, when configured as a transparent
> proxy. Full stop.
>
> I went through hundreds of posts on dozens of forums, blogs and other
> resources, tried dozens and dozens of configurations suggested by those
> posts, tried all 3 firewall options on BSD, tried two versions of Ubuntu
> and the various versions of Squid from the apt repos, as well as those
> in BSD's ports.
>
> All of them, 100%, fail in _exactly_ the same way, no matter what my
> configuration was set to. That result, is that _every single http
> request I make_ when Squid is configured as a transparent proxy, results
> in the following response being logged:
>
> ======================
> 07/Feb/2018:15:10:59 -0500.213      0 192.168.1.1 TAG_NONE/400 3583 GET
> / - HIER_NONE/- text/html ("-" "-")
> ======================
>
> When I point a client directly at the proxy, using a browser, curl or
> anything else, I see:
>
> ======================
> 07/Feb/2018:15:12:56 -0500.875     82 192.168.1.1 TCP_MISS/302 333 HEAD
> http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0")
> ======================
>
> These were the same exact request against the same exact Squid instance.
> If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is
> _identical_ for every single http request I make, regardless of origin.
>
> My Squid configuration is 100% default, identical to the generic config,
> with the exception of the following lines:
>
> ======================
> http_port 3128
> http_port 3129 intercept
> tcp_outgoing_address 192.168.1.25
> debug_options ALL,9
> ======================
>
> I've tried all of the obvious links, blogs and resources I could Google
> up, and 100% of them fail to function as described. Most people I've
> seen on the forums who attempt to get this working, throw their hands up
> in defeat and end up configuring the proxy directly on every client that
> needs it.
>
> My current environment looks like this:
>
> [ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ]
>
> That router has a firewall script on it that says:
>
> ======================
> #!/bin/sh
> PROXY_IP=192.168.2.25
> PROXY_PORT=3128
> LAN_IP=$(nvram get lan_ipaddr)
> LAN_NET=$LAN_IP/$(nvram get lan_netmask)
>
> iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp
> --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j
> DNAT --to $PROXY_IP:$PROXY_PORT
>
> iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j
> SNAT --to $LAN_IP
> iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
> --dport $PROXY_PORT -j ACCEPT
> ======================
>
> This takes every packet that hits the router on :80, and sends it to my
> Squid server on .25, which mangles it and sends it back to 192.168.1.1
> (router), and onward back to client who requested it.
>
> When I was using 2.6 (without large_file support), I was using this same
> exact configuration, but http_port was set to 'accel', and I didn't need
> _any_ NAT/routing rules on the squid side at all. It all "Just Worked(tm)".
>
> Now I need to jump through hoops to do pf incantations of rdr/direct-to
> (but direct-to and direct-reply aren't supported on FreeBSD's pf, only
> OpenBSD's pf supports that syntax), and iptables PREROUTING and
> POSTROUTING mojo (also fails).
>
> Here's a list of some of the resources I've tried, with 100% failure in
> every case. There are dozens more that I've lost in my browser history now.
>
> * https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw
> *
> https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Interception_Caching_packet_redirection_for_OpenBSD_PF
> * https://www.benzedrine.ch/transquid.html
> *
> https://www.unix-experience.fr/2013/create-a-powerfull-proxy-cache-with-squid-and-openbsd-2/
> *
> https://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
> *
> https://adilmehmoodbutt.wordpress.com/2014/02/19/how-to-install-squid3-transparent-proxy-server/
> * https://veesp.com/en/blog/how-to-setup-squid-on-ubuntu
> * https://ubuntuforums.org/showthread.php?t=2210987
> *
> http://ubuntuserverguide.com/2012/06/how-to-setup-squid3-as-transparent-proxy-on-ubuntu-server-12-04.html
> *
> http://roberts.bplaced.net/index.php/linux-guides/centos-6-guides/proxy-server/squid-transparent-proxy-http-https
>
> I also tried asking in #squid on Freenode (dead channel), and #FreeBSD
> (helpful folks there, but they too, failed to get this working).
>
> So I'm at an impasse. Is this just 100% decoupled from the current
> codebase, and doesn't work at all? Or is this really meant to be some
> lengthy archaeology to find the right, working solution for getting this
> configured in Linux or BSD?
>
> It seems like with the hundreds of posts from people out there failing
> to do this correctly, that there's a great opportunity here to a.) make
> it work again like it did in v2.6, and b.) document the _precise steps_
> required to make it function as a transparent http proxy [eg: install
> foo, create file with these exact contents, execute this exact command,
> test with this use case, if error message 'bar', do the following ].
>
> Can anyone give me a hand here? I, like so many dozens of others, am
> about to just give up and move past this, because it just does not work
> anymore.
>
> Help! :D
>
> (Thanks in advance for making it this far in my plea)
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
*****************************
* C++20 : Bug to the future *
*****************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Rafael Akchurin
In reply to this post by setuid
Hello setuid,

If you do not mind looking at other tutorials - these are what we have in the test lab.

https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html
https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html

First one for Squid running on the gateway and the second one for separate Squid that intercepts  traffic re-routed from the router using Policy-Based-Routing.
The tutorials are working, I test it with every release of our ICAP web filter.

Best regards,
Rafael Akchurin
Diladele B.V.



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of setuid
Sent: Wednesday, February 7, 2018 10:11 PM
To: [hidden email]
Subject: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5,
4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf, ipf, ipfilter) does not work at all, when configured as a transparent proxy. Full stop.

I went through hundreds of posts on dozens of forums, blogs and other resources, tried dozens and dozens of configurations suggested by those posts, tried all 3 firewall options on BSD, tried two versions of Ubuntu and the various versions of Squid from the apt repos, as well as those in BSD's ports.

All of them, 100%, fail in _exactly_ the same way, no matter what my configuration was set to. That result, is that _every single http request I make_ when Squid is configured as a transparent proxy, results in the following response being logged:

======================
        07/Feb/2018:15:10:59 -0500.213      0 192.168.1.1 TAG_NONE/400 3583 GET
/ - HIER_NONE/- text/html ("-" "-")
======================

When I point a client directly at the proxy, using a browser, curl or anything else, I see:

======================
        07/Feb/2018:15:12:56 -0500.875     82 192.168.1.1 TCP_MISS/302 333 HEAD
http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0") ======================

These were the same exact request against the same exact Squid instance.
If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is _identical_ for every single http request I make, regardless of origin.

My Squid configuration is 100% default, identical to the generic config, with the exception of the following lines:

======================
http_port 3128
http_port 3129 intercept
tcp_outgoing_address 192.168.1.25
debug_options ALL,9
======================

I've tried all of the obvious links, blogs and resources I could Google up, and 100% of them fail to function as described. Most people I've seen on the forums who attempt to get this working, throw their hands up in defeat and end up configuring the proxy directly on every client that needs it.

My current environment looks like this:

[ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ]

That router has a firewall script on it that says:

======================
#!/bin/sh
PROXY_IP=192.168.2.25
PROXY_PORT=3128
LAN_IP=$(nvram get lan_ipaddr)
LAN_NET=$LAN_IP/$(nvram get lan_netmask)

iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT

iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT --to $LAN_IP iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT ======================

This takes every packet that hits the router on :80, and sends it to my Squid server on .25, which mangles it and sends it back to 192.168.1.1 (router), and onward back to client who requested it.

When I was using 2.6 (without large_file support), I was using this same exact configuration, but http_port was set to 'accel', and I didn't need _any_ NAT/routing rules on the squid side at all. It all "Just Worked(tm)".

Now I need to jump through hoops to do pf incantations of rdr/direct-to (but direct-to and direct-reply aren't supported on FreeBSD's pf, only OpenBSD's pf supports that syntax), and iptables PREROUTING and POSTROUTING mojo (also fails).

Here's a list of some of the resources I've tried, with 100% failure in every case. There are dozens more that I've lost in my browser history now.

* https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw
*
https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Interception_Caching_packet_redirection_for_OpenBSD_PF
* https://www.benzedrine.ch/transquid.html
*
https://www.unix-experience.fr/2013/create-a-powerfull-proxy-cache-with-squid-and-openbsd-2/
*
https://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
*
https://adilmehmoodbutt.wordpress.com/2014/02/19/how-to-install-squid3-transparent-proxy-server/
* https://veesp.com/en/blog/how-to-setup-squid-on-ubuntu
* https://ubuntuforums.org/showthread.php?t=2210987
*
http://ubuntuserverguide.com/2012/06/how-to-setup-squid3-as-transparent-proxy-on-ubuntu-server-12-04.html
*
http://roberts.bplaced.net/index.php/linux-guides/centos-6-guides/proxy-server/squid-transparent-proxy-http-https

I also tried asking in #squid on Freenode (dead channel), and #FreeBSD (helpful folks there, but they too, failed to get this working).

So I'm at an impasse. Is this just 100% decoupled from the current codebase, and doesn't work at all? Or is this really meant to be some lengthy archaeology to find the right, working solution for getting this configured in Linux or BSD?

It seems like with the hundreds of posts from people out there failing to do this correctly, that there's a great opportunity here to a.) make it work again like it did in v2.6, and b.) document the _precise steps_ required to make it function as a transparent http proxy [eg: install foo, create file with these exact contents, execute this exact command, test with this use case, if error message 'bar', do the following ].

Can anyone give me a hand here? I, like so many dozens of others, am about to just give up and move past this, because it just does not work anymore.

Help! :D

(Thanks in advance for making it this far in my plea)

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

setuid
On 02/07/2018 04:38 PM, Rafael Akchurin wrote:
> If you do not mind looking at other tutorials - these are what we have
in the test lab.

> https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html
> https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html

Thanks for the quick reply. Do you have a version of these that is
BSD-specific?

I'm ultimately going to run Squid exclusively on BSD, although was using
Linux as a means to validate that the functionality to do transparent
proxying was broken (confirmed in both OS').

I'll give these a go tonight on Ubuntu and see where I get.

I do see the Apache/Web Safety hooks as "interesting", but they should
be decoupled as they're not required to get this working (and are likely
prohibited in many-to-most enterprises who would deploy a proxy in this
fashion).


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Rafael Akchurin
No unfortunately nothing like this is in our lab for FreeBSD - but default Squid package in pfSense runs transparently without issues I have heard (or with other issues than you have).

Best regards,
Rafael Akchurin
Diladele B.V.

-----Original Message-----
From: setuid [mailto:[hidden email]]
Sent: Wednesday, February 7, 2018 10:45 PM
To: Rafael Akchurin <[hidden email]>; [hidden email]
Subject: Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

On 02/07/2018 04:38 PM, Rafael Akchurin wrote:
> If you do not mind looking at other tutorials - these are what we have
in the test lab.

> https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.htm
> l
> https://docs.diladele.com/tutorials/policy_based_routing_squid/index.h
> tml

Thanks for the quick reply. Do you have a version of these that is BSD-specific?

I'm ultimately going to run Squid exclusively on BSD, although was using Linux as a means to validate that the functionality to do transparent proxying was broken (confirmed in both OS').

I'll give these a go tonight on Ubuntu and see where I get.

I do see the Apache/Web Safety hooks as "interesting", but they should be decoupled as they're not required to get this working (and are likely prohibited in many-to-most enterprises who would deploy a proxy in this fashion).


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

setuid
In reply to this post by Rafael Akchurin
On 02/07/2018 04:38 PM, Rafael Akchurin wrote:
> If you do not mind looking at other tutorials - these are what we have in the test lab.

> https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html

I can confirm that the instructions in this tutorial results in the same
exact failure scenario as all previous attempts and tests (once I
removed the unnecessary Apache/Web Safety bits).

Firewall rules are:

-A INPUT -i eth0 -p tcp -m tcp --dport 3126 -c 0 0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -c 0 0 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -c 0 0 -j ACCEPT

Squid config is generic, with the exception of:

http_port 3126 intercept

There is a single interface on the host, which resides on the LAN _and_
is Internet-facing (eth0).

The result is that I get the same as before:

==> /var/log/squid3/access.log <==
1518042565.613      0 192.168.1.1 TAG_NONE/400 3583 GET / - HIER_NONE/-
text/html

If I point the client (curl, browser, perl + LWP) at the proxy directly
on 3128, it works as expected.

I am firmly convinved that _transparent_ proxying with squid, is 100%
non-functional. The proxy works fine, but transparent proxying is
demonstrably broken in anything later than 3.x.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Rafael Akchurin
Thats strange.
How is your network configured? Your rules indicate you have 2 nics but you later say you have one..

Best regards,
Rafael Akchurin

> Op 7 feb. 2018 om 23:31 heeft setuid <[hidden email]> het volgende geschreven:
>
>> On 02/07/2018 04:38 PM, Rafael Akchurin wrote:
>> If you do not mind looking at other tutorials - these are what we have in the test lab.
>
>> https://docs.diladele.com/tutorials/transparent_proxy_ubuntu/index.html
>
> I can confirm that the instructions in this tutorial results in the same
> exact failure scenario as all previous attempts and tests (once I
> removed the unnecessary Apache/Web Safety bits).
>
> Firewall rules are:
>
> -A INPUT -i eth0 -p tcp -m tcp --dport 3126 -c 0 0 -j ACCEPT
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -c 0 0 -j ACCEPT
> -A FORWARD -i eth1 -o eth0 -c 0 0 -j ACCEPT
>
> Squid config is generic, with the exception of:
>
> http_port 3126 intercept
>
> There is a single interface on the host, which resides on the LAN _and_
> is Internet-facing (eth0).
>
> The result is that I get the same as before:
>
> ==> /var/log/squid3/access.log <==
> 1518042565.613      0 192.168.1.1 TAG_NONE/400 3583 GET / - HIER_NONE/-
> text/html
>
> If I point the client (curl, browser, perl + LWP) at the proxy directly
> on 3128, it works as expected.
>
> I am firmly convinved that _transparent_ proxying with squid, is 100%
> non-functional. The proxy works fine, but transparent proxying is
> demonstrably broken in anything later than 3.x.
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

setuid
In reply to this post by Yuri Voinov
On 2/7/18 4:31 PM, Yuri wrote:
> I'm not seen your configuration options for squid. Not squid.conf. Just
> ./configure options.

Here's what I'm building with (from 'make config' in ports tree)

'--bindir=/usr/local/sbin'
'--build=amd64-portbld-freebsd11.1'
'--datadir=/usr/local/etc/squid'
'--disable-arch-native'
'--disable-ecap'
'--disable-epoll'
'--disable-esi'
'--disable-ipf-transparent'
'--disable-ipv6'
'--disable-linux-netfilter'
'--disable-linux-tproxy'
'--disable-pf-transparent'
'--disable-silent-rules'
'--disable-snmp'
'--disable-ssl'
'--disable-ssl-crtd'
'--disable-stacktraces'
'--disable-translation'
'--enable-auth'
'--enable-auth-basic=DB
'--enable-auth-digest=file'
'--enable-auth-negotiate=none'
'--enable-auth-ntlm=fake
'--enable-build-info'
'--enable-cache-digests'
'--enable-delay-pools'
'--enable-disk-io=DiskThreads
'--enable-eui'
'--enable-external-acl-helpers=file_userip
'--enable-follow-x-forwarded-for'
'--enable-forw-via-db'
'--enable-htcp'
'--enable-http-violations'
'--enable-icap-client'
'--enable-icmp'
'--enable-ident-lookups'
'--enable-ipfw-transparent'
'--enable-kqueue'
'--enable-loadable-modules'
'--enable-log-daemon-helpers=file'
'--enable-removal-policies=lru
'--enable-security-cert-validators=fake'
'--enable-storeid-rewrite-helpers=file'
'--enable-storeio=aufs
'--enable-url-rewrite-helpers=fake'
'--enable-wccp'
'--enable-wccpv2'
'--enable-zph-qos'
'--infodir=/usr/local/info/'
'--libexecdir=/usr/local/libexec/squid'
'--localstatedir=/var'
'--mandir=/usr/local/man'
'--prefix=/usr/local'
'--sbindir=/usr/local/sbin'
'--sysconfdir=/usr/local/etc/squid'
'--with-default-user=squid'
'--with-large-files'
'--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid/squid.pid'
'--with-swapdir=/var/squid/cache'
'--without-gnutls'
'--without-gss'
'--without-heimdal-krb5'
'--without-mit-krb5'
'--without-nat-devpf'
'--without-nettle'
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

setuid
In reply to this post by Rafael Akchurin
On 2/7/18 5:37 PM, Rafael Akchurin wrote:
> How is your network configured? Your rules indicate you have 2 nics but you later say you have one..

Originally, I started with 1 NIC (it's a VM), and added 2 more, because
I read that pf/ipfw can't rewrite ingress packets on the same interface
it used for egress, but I haven't tried creating a bridge and routes to
attempt to make that work yet.

The Ubuntu machine has 2 NICs; primary NIC is WAN facing (internet
routable IP bound to eth0) and the secondary NIC sits on the "backup"
network (LAN-side) on 192.168.2.x.

Let's break it down:

[WAN router]
  |-- LAN: 192.168.1.1 (wired LAN)
  `-- WWAN: 10.0.1.1 (wireless clients)

BSD VM: 192.168.1.25

Ubuntu VM:
  |-- INET: 32.215.x.x
  `-- LAN: 192.168.2.x

The WAN router is what sends traffic sent over it on :80, over to .1.25
(BSD) to cache.

Previously, I had it pointed to Squid 2.6 sitting on my NAS
(192.168.1.20) and that would work perfectly as a transparent proxy.

When I pointed the WAN router to .25 instead of .20, and upgraded the
version of Squid by using BSD's version from ports on .25, this process
all fell apart.

So... is having 3 NICs (1 NIC + 2 bridged together as bridge0) *now* a
requirement to get transparent proxying working with anything using
Squid 3.x or later?

Can this be done with a single NIC sitting on an Internet-facing LAN
segment?

If so, how?
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Yuri Voinov
In reply to this post by setuid
If you configured squid with

'--enable-ipfw-transparent'

you should use manual for ipfw configuration.

Did you used ipfw NAT configuration on same box with squid?

08.02.2018 05:14, setuid пишет:

> On 2/7/18 4:31 PM, Yuri wrote:
>> I'm not seen your configuration options for squid. Not squid.conf. Just
>> ./configure options.
> Here's what I'm building with (from 'make config' in ports tree)
>
> '--bindir=/usr/local/sbin'
> '--build=amd64-portbld-freebsd11.1'
> '--datadir=/usr/local/etc/squid'
> '--disable-arch-native'
> '--disable-ecap'
> '--disable-epoll'
> '--disable-esi'
> '--disable-ipf-transparent'
> '--disable-ipv6'
> '--disable-linux-netfilter'
> '--disable-linux-tproxy'
> '--disable-pf-transparent'
> '--disable-silent-rules'
> '--disable-snmp'
> '--disable-ssl'
> '--disable-ssl-crtd'
> '--disable-stacktraces'
> '--disable-translation'
> '--enable-auth'
> '--enable-auth-basic=DB
> '--enable-auth-digest=file'
> '--enable-auth-negotiate=none'
> '--enable-auth-ntlm=fake
> '--enable-build-info'
> '--enable-cache-digests'
> '--enable-delay-pools'
> '--enable-disk-io=DiskThreads
> '--enable-eui'
> '--enable-external-acl-helpers=file_userip
> '--enable-follow-x-forwarded-for'
> '--enable-forw-via-db'
> '--enable-htcp'
> '--enable-http-violations'
> '--enable-icap-client'
> '--enable-icmp'
> '--enable-ident-lookups'
> '--enable-ipfw-transparent'
> '--enable-kqueue'
> '--enable-loadable-modules'
> '--enable-log-daemon-helpers=file'
> '--enable-removal-policies=lru
> '--enable-security-cert-validators=fake'
> '--enable-storeid-rewrite-helpers=file'
> '--enable-storeio=aufs
> '--enable-url-rewrite-helpers=fake'
> '--enable-wccp'
> '--enable-wccpv2'
> '--enable-zph-qos'
> '--infodir=/usr/local/info/'
> '--libexecdir=/usr/local/libexec/squid'
> '--localstatedir=/var'
> '--mandir=/usr/local/man'
> '--prefix=/usr/local'
> '--sbindir=/usr/local/sbin'
> '--sysconfdir=/usr/local/etc/squid'
> '--with-default-user=squid'
> '--with-large-files'
> '--with-logdir=/var/log/squid'
> '--with-pidfile=/var/run/squid/squid.pid'
> '--with-swapdir=/var/squid/cache'
> '--without-gnutls'
> '--without-gss'
> '--without-heimdal-krb5'
> '--without-mit-krb5'
> '--without-nat-devpf'
> '--without-nettle'
--
*****************************
* C++20 : Bug to the future *
*****************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Yuri Voinov
In reply to this post by setuid
Squid is relatively difficult to run with transparent mode on virtual
platforms due to NAT limitations on virtual platforms (this is not
squid's issue, this is issue if virtual platforms).

I'm using squid only in transparent mode (only in transparent mode)
several years on Solaris (bare metal) without any issues in HTTP/HTTPS
interception. With IPFilter. With 1-2-6-8 interfaces with different LAN
topologies. Starting from Squid 2.7, then 3.4, 3.5, 4.x and now 5.x. All
without serious problems.

But on bare-metal.

08.02.2018 05:25, setuid пишет:

> On 2/7/18 5:37 PM, Rafael Akchurin wrote:
>> How is your network configured? Your rules indicate you have 2 nics but you later say you have one..
> Originally, I started with 1 NIC (it's a VM), and added 2 more, because
> I read that pf/ipfw can't rewrite ingress packets on the same interface
> it used for egress, but I haven't tried creating a bridge and routes to
> attempt to make that work yet.
>
> The Ubuntu machine has 2 NICs; primary NIC is WAN facing (internet
> routable IP bound to eth0) and the secondary NIC sits on the "backup"
> network (LAN-side) on 192.168.2.x.
>
> Let's break it down:
>
> [WAN router]
>   |-- LAN: 192.168.1.1 (wired LAN)
>   `-- WWAN: 10.0.1.1 (wireless clients)
>
> BSD VM: 192.168.1.25
>
> Ubuntu VM:
>   |-- INET: 32.215.x.x
>   `-- LAN: 192.168.2.x
>
> The WAN router is what sends traffic sent over it on :80, over to .1.25
> (BSD) to cache.
>
> Previously, I had it pointed to Squid 2.6 sitting on my NAS
> (192.168.1.20) and that would work perfectly as a transparent proxy.
>
> When I pointed the WAN router to .25 instead of .20, and upgraded the
> version of Squid by using BSD's version from ports on .25, this process
> all fell apart.
>
> So... is having 3 NICs (1 NIC + 2 bridged together as bridge0) *now* a
> requirement to get transparent proxying working with anything using
> Squid 3.x or later?
>
> Can this be done with a single NIC sitting on an Internet-facing LAN
> segment?
>
> If so, how?
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
*****************************
* C++20 : Bug to the future *
*****************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

setuid
In reply to this post by Yuri Voinov
On 2/7/18 6:36 PM, Yuri wrote:
> Did you used ipfw NAT configuration on same box with squid?

Yes, my ipfw configuration is:

$cmd 00700 deny ip from any to any dst-port 3128 via em0
$cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0
$cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.25
src-ip 192.168.1.1
$cmd add 60000 permit ip from any to any
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Yuri Voinov
Where ipfw runs? In virtual machine, or on hypervisor?


08.02.2018 05:44, setuid пишет:
> On 2/7/18 6:36 PM, Yuri wrote:
>> Did you used ipfw NAT configuration on same box with squid?
> Yes, my ipfw configuration is:
>
> $cmd 00700 deny ip from any to any dst-port 3128 via em0
> $cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0
> $cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.25
> src-ip 192.168.1.1
> $cmd add 60000 permit ip from any to any

--
*****************************
* C++20 : Bug to the future *
*****************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Amos Jeffries
Administrator
In reply to this post by setuid
On 08/02/18 12:44, setuid wrote:

> On 2/7/18 6:36 PM, Yuri wrote:
>> Did you used ipfw NAT configuration on same box with squid?
>
> Yes, my ipfw configuration is:
>
> $cmd 00700 deny ip from any to any dst-port 3128 via em0
> $cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0
> $cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.25
> src-ip 192.168.1.1
> $cmd add 60000 permit ip from any to any


Earlier you wrote:


> My Squid configuration is 100% default, identical to the generic config,
> with the exception of the following lines:
>
> ======================
> http_port 3128
> http_port 3129 intercept
> tcp_outgoing_address 192.168.1.25
> debug_options ALL,9
> ======================


Your IPFW rules are sending intercepted traffic to port 3128.

HTTP traffic comes in multiple flavours/types. Squid-3+ enforce the port
"mode" for matches the type of traffic arriving to maintain traffic
integrity in the face of security vulnerabilities relevant (or not) to
each traffic type.

This adds some natural limitations which were not previously visible in
Squid-2 which was broken, just not informing you of the problem(s).

These are:

* you MUST configure NAT on the same device / machine / VM that Squid is
running on. Squid requires access directly to the kernel NAT tables.

* you MUST only send traffic of a given type to the port with matching
"mode" flag.
 - explicit/forward proxy is implied when *no* more specific mode is
supplied,
 - NAT traffic requires "intercept" flag,
 - TPROXY traffic requires "tproxy" flag, and
 - interception of HTTPS traffic requires "ssl-bump" flag (which can be
combined with the others)



Also, were the build options displayed earlier the same ones you used
for testing *BSD and Linux systems?
 The Linux Netfilter and *BSD PF NAT systems will never work if you
disable them and permit *only* IPFW-transparent in the Squid build.



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Amos Jeffries
Administrator
In reply to this post by setuid

On 08/02/18 10:11, setuid wrote:

> I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5,
> 4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf,
> ipf, ipfilter) does not work at all, when configured as a transparent
> proxy. Full stop.
>
> I went through hundreds of posts on dozens of forums, blogs and other
> resources, tried dozens and dozens of configurations suggested by those
> posts, tried all 3 firewall options on BSD, tried two versions of Ubuntu
> and the various versions of Squid from the apt repos, as well as those
> in BSD's ports.
>
> All of them, 100%, fail in _exactly_ the same way, no matter what my
> configuration was set to. That result, is that _every single http
> request I make_ when Squid is configured as a transparent proxy, results
> in the following response being logged:
>
> ======================
> 07/Feb/2018:15:10:59 -0500.213      0 192.168.1.1 TAG_NONE/400 3583 GET
> / - HIER_NONE/- text/html ("-" "-")
> ======================
>
> When I point a client directly at the proxy, using a browser, curl or
> anything else, I see:
>
> ======================
> 07/Feb/2018:15:12:56 -0500.875     82 192.168.1.1 TCP_MISS/302 333 HEAD
> http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0")
> ======================
>
> These were the same exact request against the same exact Squid instance.

Lets start with the obvious then. HEAD is Not the same as GET. These are
*different* requests. Therefore something major is wrong with your
understanding of the situation.


> If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is
> _identical_ for every single http request I make, regardless of origin.
>
> My Squid configuration is 100% default, identical to the generic config,
> with the exception of the following lines:
>
> ======================
> http_port 3128
> http_port 3129 intercept
> tcp_outgoing_address 192.168.1.25
> debug_options ALL,9
> ======================
>
> I've tried all of the obvious links, blogs and resources I could Google
> up, and 100% of them fail to function as described. Most people I've
> seen on the forums who attempt to get this working, throw their hands up
> in defeat and end up configuring the proxy directly on every client that
> needs it.
>
> My current environment looks like this:
>
> [ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ]
>
> That router has a firewall script on it that says:
>
> ======================
> #!/bin/sh
> PROXY_IP=192.168.2.25
> PROXY_PORT=3128
> LAN_IP=$(nvram get lan_ipaddr)
> LAN_NET=$LAN_IP/$(nvram get lan_netmask)
>
> iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp
> --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j
> DNAT --to $PROXY_IP:$PROXY_PORT
>
> iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j
> SNAT --to $LAN_IP
> iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
> --dport $PROXY_PORT -j ACCEPT
> ======================
>
> This takes every packet that hits the router on :80, and sends it to my
> Squid server on .25, which mangles it and sends it back to 192.168.1.1
> (router), and onward back to client who requested it.
>

No. This takes HTTP (port 80 syntax) and sends it to a remote proxy
expecting explicit-proxy syntax.


> When I was using 2.6 (without large_file support), I was using this same
> exact configuration, but http_port was set to 'accel', and I didn't need
> _any_ NAT/routing rules on the squid side at all. It all "Just Worked(tm)".


It also "Just Worked" for anyone attacking your network via
CVE-2009-0801 methods. And would provide them with an effective
invisibility cloak while doing so (original IP:ports destroyed by the NAT).
 Not exactly desirable behaviour.



>
> Now I need to jump through hoops to do pf incantations of rdr/direct-to
> (but direct-to and direct-reply aren't supported on FreeBSD's pf, only
> OpenBSD's pf supports that syntax), and iptables PREROUTING and
> POSTROUTING mojo (also fails).
>

You need simply *route* traffic properly in the way the Internet was
designed to work. Instead of abusing NAT.

When that is done properly the NAT happens *only* as the final step to
get the traffic into the Squid process by the machine/device/VM Squid is
running on.


> Here's a list of some of the resources I've tried, with 100% failure in
> every case. There are dozens more that I've lost in my browser history now.
>
> * https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw
> *
> https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Interception_Caching_packet_redirection_for_OpenBSD_PF

Hmm. I see that page is updated and missing quote a few things. Thanks
for bringing this to attention.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Eliezer Croitoru
Is this issue still unresolved?
After reading the whole thread and getting back to the first post I really don't understand the issue.
OK so google search "foo" didn't helped to understand how to install and configure Squid-Cache right?
You got to the right place!

Now if you don't plan to run Squid-Cache on-top of a Linux system, on what OS specifically do you want to run Squid-Cache on-top?
Also what type of hypervisor are you using for your VM?(XEN, VMWARE, KVM, other)
If you want to use a BSD flavored OS you should stick with the OS recommended firewall.
For OpenBSD it's PF.
For FreeBSD it's either PF or IPFW but there is something regarding PF and IPFW and multiple CPU's on the past and I'm not sure what is the state of it currently.
The last time I tested(a year ago) PF was working fine on FreeBSD 10+11 but had some issue with virtio NIC's which Debian had a similar issue.
If you are using a BSD OS and not planning to set it up for above 1Gbit link then just use an Intel E1000 nic to make things just work as expected.

If there is a need for a test I have a lab ready to test the issue with:
Linux\Windows \BSD Client's
Linux\BSD Router with Squid on-top of it.

When I will receive more details I might be able to clear some doubt's.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Thursday, February 8, 2018 10:13
To: [hidden email]
Subject: Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)


On 08/02/18 10:11, setuid wrote:

> I'll start with the pointedly easy stuff: Squid > 2.6 (tested 3.4, 3.5,
> 4.0 on Ubuntu Xenial, Debian Jessie, FreeSBD 11.1 using iptables, pf,
> ipf, ipfilter) does not work at all, when configured as a transparent
> proxy. Full stop.
>
> I went through hundreds of posts on dozens of forums, blogs and other
> resources, tried dozens and dozens of configurations suggested by those
> posts, tried all 3 firewall options on BSD, tried two versions of Ubuntu
> and the various versions of Squid from the apt repos, as well as those
> in BSD's ports.
>
> All of them, 100%, fail in _exactly_ the same way, no matter what my
> configuration was set to. That result, is that _every single http
> request I make_ when Squid is configured as a transparent proxy, results
> in the following response being logged:
>
> ======================
> 07/Feb/2018:15:10:59 -0500.213      0 192.168.1.1 TAG_NONE/400 3583 GET
> / - HIER_NONE/- text/html ("-" "-")
> ======================
>
> When I point a client directly at the proxy, using a browser, curl or
> anything else, I see:
>
> ======================
> 07/Feb/2018:15:12:56 -0500.875     82 192.168.1.1 TCP_MISS/302 333 HEAD
> http://www.java.com/ - HIER_DIRECT/www.java.com - ("-" "curl/7.47.0")
> ======================
>
> These were the same exact request against the same exact Squid instance.

Lets start with the obvious then. HEAD is Not the same as GET. These are
*different* requests. Therefore something major is wrong with your
understanding of the situation.


> If I use Squid 3.5 on Ubuntu or 3.5 and 4.0 on BSD, the logged entry is
> _identical_ for every single http request I make, regardless of origin.
>
> My Squid configuration is 100% default, identical to the generic config,
> with the exception of the following lines:
>
> ======================
> http_port 3128
> http_port 3129 intercept
> tcp_outgoing_address 192.168.1.25
> debug_options ALL,9
> ======================
>
> I've tried all of the obvious links, blogs and resources I could Google
> up, and 100% of them fail to function as described. Most people I've
> seen on the forums who attempt to get this working, throw their hands up
> in defeat and end up configuring the proxy directly on every client that
> needs it.
>
> My current environment looks like this:
>
> [ wireless router: 10.0.1.1 on LAN side, 192.168.1.1 on WAN side ]
>
> That router has a firewall script on it that says:
>
> ======================
> #!/bin/sh
> PROXY_IP=192.168.2.25
> PROXY_PORT=3128
> LAN_IP=$(nvram get lan_ipaddr)
> LAN_NET=$LAN_IP/$(nvram get lan_netmask)
>
> iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp
> --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_IP -p tcp --dport 80 -j
> DNAT --to $PROXY_IP:$PROXY_PORT
>
> iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j
> SNAT --to $LAN_IP
> iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp
> --dport $PROXY_PORT -j ACCEPT
> ======================
>
> This takes every packet that hits the router on :80, and sends it to my
> Squid server on .25, which mangles it and sends it back to 192.168.1.1
> (router), and onward back to client who requested it.
>

No. This takes HTTP (port 80 syntax) and sends it to a remote proxy
expecting explicit-proxy syntax.


> When I was using 2.6 (without large_file support), I was using this same
> exact configuration, but http_port was set to 'accel', and I didn't need
> _any_ NAT/routing rules on the squid side at all. It all "Just Worked(tm)".


It also "Just Worked" for anyone attacking your network via
CVE-2009-0801 methods. And would provide them with an effective
invisibility cloak while doing so (original IP:ports destroyed by the NAT).
 Not exactly desirable behaviour.



>
> Now I need to jump through hoops to do pf incantations of rdr/direct-to
> (but direct-to and direct-reply aren't supported on FreeBSD's pf, only
> OpenBSD's pf supports that syntax), and iptables PREROUTING and
> POSTROUTING mojo (also fails).
>

You need simply *route* traffic properly in the way the Internet was
designed to work. Instead of abusing NAT.

When that is done properly the NAT happens *only* as the final step to
get the traffic into the Squid process by the machine/device/VM Squid is
running on.


> Here's a list of some of the resources I've tried, with 100% failure in
> every case. There are dozens more that I've lost in my browser history now.
>
> * https://wiki.squid-cache.org/ConfigExamples/Intercept/Ipfw
> *
> https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Interception_Caching_packet_redirection_for_OpenBSD_PF

Hmm. I see that page is updated and missing quote a few things. Thanks
for bringing this to attention.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

setuid
On 02/22/2018 12:29 PM, Eliezer Croitoru wrote:
> Is this issue still unresolved?
> After reading the whole thread and getting back to the first post I
really don't understand the issue.

No, unresolved. At this point, I'm firmly convinced that Squid 3.x and
later _does not_ work as a fully transparent proxy on either FreeBSD nor
Linux, full stop.

Any version  of Squid earlier than 3.x, works flawlessly in this regard
with a similar configuration.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

Eliezer Croitoru
What is "fully transparent proxy"? tproxy or intercept mode?
Can you give me more details on your setup? (It works here locally...)

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: setuid [mailto:[hidden email]]
Sent: Thursday, February 22, 2018 19:58
To: Eliezer Croitoru <[hidden email]>; 'Amos Jeffries' <[hidden email]>
Cc: 'setuid' <[hidden email]>; [hidden email]
Subject: Re: [squid-users] Squid 3.x or 4.x acting as a transparent http proxy (NOT https)

On 02/22/2018 12:29 PM, Eliezer Croitoru wrote:
> Is this issue still unresolved?
> After reading the whole thread and getting back to the first post I
really don't understand the issue.

No, unresolved. At this point, I'm firmly convinced that Squid 3.x and
later _does not_ work as a fully transparent proxy on either FreeBSD nor
Linux, full stop.

Any version  of Squid earlier than 3.x, works flawlessly in this regard
with a similar configuration.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users