Squid Transparent/intercept Issues

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Squid Transparent/intercept Issues

christian brendan
Hello Everyone,

Squid Cache: Version 3.5.20
OS: CentOS 7

I have used squid for quite some times non transparently and it works,
problem kicks in when: http_port 3128 transparent is enabled. 
Access denied error page shows up when transparent is enabled

ERROR

The requested URL could not be retrieved


The following error was encountered while trying to retrieve the URL: http://www.bing.com

Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is [hidden email].



Some forums says

transparent was deprecated and replaced with "intercept"

while others says otherwise.
Most confusing is, when http_port is set to transparent or intercept it gives the same result
The only thing that seems to work is: http_port 3128 accel vhost allow-direct
but i'm not comfortable with this because i do not think it was meant for transparent operations besides it blocks https sites on the squid host system.

Please i need advice on transparent mode best practices.

Is it http_port 3128 transparent or intercept or accel vhost allow-direct

which one is supported by the current version of squid 3.5.20 ?
Best Regards
Thanks

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Transparent/intercept Issues

Yuri Voinov

Did you tried our wiki:

http://wiki.squid-cache.org/ConfigExamples/Intercept

?

20.03.2017 21:26, christian brendan пишет:
Hello Everyone,

Squid Cache: Version 3.5.20
OS: CentOS 7

I have used squid for quite some times non transparently and it works,
problem kicks in when: http_port 3128 transparent is enabled. 
Access denied error page shows up when transparent is enabled

ERROR

The requested URL could not be retrieved


The following error was encountered while trying to retrieve the URL: http://www.bing.com

Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is [hidden email].



Some forums says

transparent was deprecated and replaced with "intercept"

while others says otherwise.
Most confusing is, when http_port is set to transparent or intercept it gives the same result
The only thing that seems to work is: http_port 3128 accel vhost allow-direct
but i'm not comfortable with this because i do not think it was meant for transparent operations besides it blocks https sites on the squid host system.

Please i need advice on transparent mode best practices.

Is it http_port 3128 transparent or intercept or accel vhost allow-direct

which one is supported by the current version of squid 3.5.20 ?
Best Regards
Thanks


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

--
Bugs to the Future

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0x613DEC46.asc (2K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Transparent/intercept Issues

Antony Stone
In reply to this post by christian brendan
On Monday 20 March 2017 at 16:26:40, christian brendan wrote:

> Hello Everyone,
>
> Squid Cache: Version 3.5.20
> OS: CentOS 7
>
> I have used squid for quite some times non transparently and it works,
> problem kicks in when: http_port 3128 transparent is enabled.
> Access denied error page shows up when transparent is enabled
> ERRORThe requested URL could not be retrieved

How are you getting the packets to the Squid server for interception?

Is the Squid server in the default route between your clients and the
Internet, or are you redirecting the packets to the Squid server somehow?

Please give *details* of how you are intercepting and sending the packets to
Squid (eg: iptables rules, and which machine/s the rules are running on).


Antony.

--
Anything that improbable is effectively impossible.

 - Murray Gell-Mann, Nobel Prizewinner in Physics

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Transparent/intercept Issues

christian brendan
In reply to this post by christian brendan
Re: Squid Transparent/intercept Issues

On Tue, Mar 21, 2017 at 8:05 AM, <[hidden email]> wrote:
Send squid-users mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."


Today's Topics:

   1. Re: Squid Transparent/intercept Issues (Antony Stone)
   2. Re: SMP and AUFS (Matus UHLAR - fantomas)
   3. Re: SMP and AUFS (Alex Rousskov)
   4. Re: squid workers question (Alex Rousskov)
   5. Re: squid workers question (Matus UHLAR - fantomas)
   6. Re: SSL Bump issues (Alex Rousskov)
   7. blocking or allowing specific youtube videos (Sohan Wijetunga)


----------------------------------------------------------------------

Message: 1
Date: Mon, 20 Mar 2017 16:56:17 +0100
From: Antony Stone <[hidden email]>
To: [hidden email]
Subject: Re: [squid-users] Squid Transparent/intercept Issues
Message-ID: <[hidden email]>
Content-Type: Text/Plain;  charset="iso-8859-15"

On Monday 20 March 2017 at 16:26:40, christian brendan wrote:

> Hello Everyone,
>
> Squid Cache: Version 3.5.20
> OS: CentOS 7
>
> I have used squid for quite some times non transparently and it works,
> problem kicks in when: http_port 3128 transparent is enabled.
> Access denied error page shows up when transparent is enabled
> ERRORThe requested URL could not be retrieved

How are you getting the packets to the Squid server for interception?

Is the Squid server in the default route between your clients and the
Internet, or are you redirecting the packets to the Squid server somehow?

Please give *details* of how you are intercepting and sending the packets to
Squid (eg: iptables rules, and which machine/s the rules are running on).


Antony.

--
Anything that improbable is effectively impossible.

 - Murray Gell-Mann, Nobel Prizewinner in Physics

                                                   Please reply to the list;
                                                         please *don't* CC me.


------------------------------

Message: 2
Date: Mon, 20 Mar 2017 17:15:16 +0100
From: Matus UHLAR - fantomas <[hidden email]>
To: [hidden email]
Subject: Re: [squid-users] SMP and AUFS
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=us-ascii; format=flowed

On 19.03.17 11:08, Alex Rousskov wrote:
>On 03/18/2017 11:11 PM, senor wrote:
>
>> There are many references in the squid wiki, FAQ and Knowlegebase about
>> SMP but I don't see any of them reflecting the concerns you have brought
>> up.
>
>There is a paragraph about these problems at [1] (search for "ufs") but
>I agree that better documentation, including wiki and
>squid.conf.documented changes/additions would be nice.
>
>  [1] http://wiki.squid-cache.org/Features/SmpScale
>
>
>> My point in mentioning that there are a lot of installations using
>> SMP and AUFS is that something widely used but buggy tends to be brought
>> up on this email list and I haven't seen it.
>
>IIRC, it has been brought up several times on the mailing lists and in
>Bugzilla. Once you dedicate each ufs-based store to each individual
>worker, most of the problems become subtle, often "invisible" to an
>admin because they "break" transactions, not Squid, especially if you do
>not use a mixture of ufs-based and rock stores. Using mailing list as an
>indicator that as subtle problem does _not_ exist is a risky strategy IMO.

Well, I personally will still be curious how much does SMP affect the case of
one worker and one or more diskers...

do diskers only provide I/O to the requestor?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm.


------------------------------

Message: 3
Date: Mon, 20 Mar 2017 12:19:58 -0600
From: Alex Rousskov <[hidden email]>
To: [hidden email]
Subject: Re: [squid-users] SMP and AUFS
Message-ID:
        <[hidden email]>
Content-Type: text/plain; charset=utf-8

On 03/20/2017 10:15 AM, Matus UHLAR - fantomas wrote:

> Well, I personally will still be curious how much does SMP affect the
> case of one worker and one or more diskers...

I do not understand why you are asking this question in AUFS context.
AUFS does not use diskers! Today, only Rock store uses diskers (in SMP
mode). Some other [ufs-based] cache stores use various helper threads
and processes for I/O as well, but those helper processes are not
diskers or even kids in SMP terminology.


> do diskers only provide I/O to the requestor?

Diskers primary function is low-level disk cache I/O. Like all kids,
diskers respond to cache manager requests and Squid management events
(e.g. shutdown and reconfiguration). IIRC, diskers also build in-RAM
cache_dir index.

    http://wiki.squid-cache.org/Features/SmpScale#Terminology

HTH,

Alex.



------------------------------

Message: 4
Date: Mon, 20 Mar 2017 12:32:44 -0600
From: Alex Rousskov <[hidden email]>
To: [hidden email]
Subject: Re: [squid-users] squid workers question
Message-ID:
        <[hidden email]>
Content-Type: text/plain; charset=utf-8

On 03/20/2017 09:20 AM, Matus UHLAR - fantomas wrote:
> On 10.03.17 08:52, Alex Rousskov wrote:
>> Sorry, but that 2010 documentation is outdated. It was written before
>> Rock store, a 2011 feature that changed what "SMP mode" means. This is
>> my fault. Here is a replacement draft that I was working on until wiki
>> went down:
>>
>>> NAME: workers
>>> DEFAULT: 1
>>>     Number of main Squid processes or "workers" to fork and maintain.
>>>
>>>     In a typical setup, each worker listens on all http_port(s) and
>>>     proxies requests without talking to other workers. Depending on
>>>     configuration, other Squid processes (e.g., rock store "diskers")
>>>     may also participate in request processing. All such Squid processes
>>>     are collectively called "kids".
>>>
>>>     Setting workers to 0 disables kids creation and is similar to
>>>     running "squid -N ...". A positive value starts that many workers.

> The default of 1 (only) creates kids for each rock store configured.

What makes you think that? I believe "workers 1" in the presence of rock
cache_dirs should create one kid to handle HTTP transaction _plus_ one
kid for each rock cache_dir.


>>>     When multiple concurrent kids are in use, Squid is said to work in
>>>     "SMP mode". Some Squid features (e.g., ufs-based cache_dirs) are not
>>>     SMP-aware and should not or cannot be used in SMP mode.
>>>
>>>     See http://wiki.squid-cache.org/Features/SmpScale for details.

> very nice, thanks. However this is not meant for the wiki, but for:
> http://www.squid-cache.org/Doc/config/workers/

To be more precise, the text is meant for src/cf.data.pre, from which
squid.conf.documented (and Doc/Config pages) are generated from. Not
sure why you say "However" though.


> maybe that pages could be updated (all but 3.2 versions are the same).

Once the above worker documentation changes are polished and committed
to the Squid repository, the affected generated pages/files will be
updated automatically.

The documentation for earlier versions may never be updated though -- it
depends on whether the changes are going to be ported and committed to
the code branches corresponding to those earlier versions.


>> The final version will probably move and extend the terminology-related
>> text to the SMP section preamble -- it is kind of wrong to talk about
>> diskers when documenting workers. Improvements and constructive
>> suggestions welcomed!
>
> compared to current version I'd change it to:
>
>     1: start one main Squid process daemon (default)
>            "no SMP" when rock store is not used
>            "SMP" when rock store in use

I agree that we should add something like this as a common-case example
of general rules. Thank you.

Alex.



------------------------------

Message: 5
Date: Mon, 20 Mar 2017 20:49:06 +0100
From: Matus UHLAR - fantomas <[hidden email]>
To: [hidden email]
Subject: Re: [squid-users] squid workers question
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=us-ascii; format=flowed

>> On 10.03.17 08:52, Alex Rousskov wrote:
>>> Sorry, but that 2010 documentation is outdated. It was written before
>>> Rock store, a 2011 feature that changed what "SMP mode" means. This is
>>> my fault. Here is a replacement draft that I was working on until wiki
>>> went down:
>>>
>>>> NAME: workers
>>>> DEFAULT: 1
>>>>     Number of main Squid processes or "workers" to fork and maintain.
>>>>
>>>>     In a typical setup, each worker listens on all http_port(s) and
>>>>     proxies requests without talking to other workers. Depending on
>>>>     configuration, other Squid processes (e.g., rock store "diskers")
>>>>     may also participate in request processing. All such Squid processes
>>>>     are collectively called "kids".
>>>>
>>>>     Setting workers to 0 disables kids creation and is similar to
>>>>     running "squid -N ...". A positive value starts that many workers.

>On 03/20/2017 09:20 AM, Matus UHLAR - fantomas wrote:
>> The default of 1 (only) creates kids for each rock store configured.

On 20.03.17 12:32, Alex Rousskov wrote:
>What makes you think that? I believe "workers 1" in the presence of rock
>cache_dirs should create one kid to handle HTTP transaction _plus_ one
>kid for each rock cache_dir.

That's exactly what I meant, for inclusion to your paragraph.
Should I replace "kids" with "one extra kid"?
and should I replace (only) by "however"?

>>>>     When multiple concurrent kids are in use, Squid is said to work in
>>>>     "SMP mode". Some Squid features (e.g., ufs-based cache_dirs) are not
>>>>     SMP-aware and should not or cannot be used in SMP mode.
>>>>
>>>>     See http://wiki.squid-cache.org/Features/SmpScale for details.
>
>> very nice, thanks. However this is not meant for the wiki, but for:
>> http://www.squid-cache.org/Doc/config/workers/
>
>To be more precise, the text is meant for src/cf.data.pre, from which
>squid.conf.documented (and Doc/Config pages) are generated from. Not
>sure why you say "However" though.

You mentioned you were working on the draft until wiki went down.
I understood the paragraph as replacement for "workers" documentation, not
as something to be written to wiki...

>> maybe that pages could be updated (all but 3.2 versions are the same).
>
>Once the above worker documentation changes are polished and committed
>to the Squid repository, the affected generated pages/files will be
>updated automatically.
>
>The documentation for earlier versions may never be updated though -- it
>depends on whether the changes are going to be ported and committed to
>the code branches corresponding to those earlier versions.

it's up to the release team.
I would recommend update the docs on the web to avoid issues for people
using older squid versions, e.g. in enterprise environment

>>> The final version will probably move and extend the terminology-related
>>> text to the SMP section preamble -- it is kind of wrong to talk about
>>> diskers when documenting workers. Improvements and constructive
>>> suggestions welcomed!
>>
>> compared to current version I'd change it to:
>>
>>     1: start one main Squid process daemon (default)
>>            "no SMP" when rock store is not used
>>            "SMP" when rock store in use
>
>I agree that we should add something like this as a common-case example
>of general rules. Thank you.

if we replace the current paragraph with your proposed one, I have proposed
change at the top

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.


------------------------------

Message: 6
Date: Mon, 20 Mar 2017 14:08:48 -0600
From: Alex Rousskov <[hidden email]>
To: [hidden email]
Subject: Re: [squid-users] SSL Bump issues
Message-ID:
        <[hidden email]>
Content-Type: text/plain; charset=utf-8

On 03/19/2017 07:58 PM, mr_jrt wrote:

> ...but the only way I've got any successful SSL proxying is with:
>
>
> ...but as expected, that's clearly not doing any bumping from the logs:
>
>
>
> When I put anything more in, i.e.
>
>
> Then it turns on the mode:
>
>
> ...but then I just get errors about no ciphers:
>

Please note that your configuration and other details in the post did
not get through to the mailing list (probably due to some fancy quoting
provided by Nabble that does not get through to the actual squid-users
mailing list).

Alex.



------------------------------

Message: 7
Date: Tue, 21 Mar 2017 12:35:25 +0530
From: Sohan Wijetunga <[hidden email]>
To: [hidden email]
Subject: [squid-users] blocking or allowing specific youtube videos
Message-ID:
        <[hidden email]>
Content-Type: text/plain; charset="utf-8"

Project subject is blocking or allowing specific youtube videos. For that
research I hope to add more features but currently I’m stuck to take full
urls from clients. According to my project, environment should be client
server environment. All the client’s youtube traffic should be manage
through the gateway. I currently following squid helper programs it seems
to be fulfil my requirement but those examples are not enough for testing.
Using of squid helper program is to do some development in my research
future. I really need to do that project using squid.



 I look forward to hearing from you soon.

Thank you.

Best Regards,

Sohan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170321/435d3a19/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


------------------------------

End of squid-users Digest, Vol 31, Issue 59
*******************************************



​@Antony.Stone
1. ​I am using mikrotik routerboard to redirect traffic, with this rule:
dd action=dst-nat chain=dstnat comment="Redirect port 80 to SquidProxy" dst-port=80 protocol=tcp \ src-address=10.24.7.100 to-addresses=10.24.7.101 to-ports=3128

3.​ It is not in default route, packets is been redirected.

​4. There is no iptable rules, firewall is disabled for this test.

Regards


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Transparent/intercept Issues

Antony Stone
On Tuesday 21 March 2017 at 12:00:05, christian brendan wrote:

> > Today's Topics:
> >    1. Re: Squid Transparent/intercept Issues (Antony Stone)
> >    2. Re: SMP and AUFS (Matus UHLAR - fantomas)
> >    3. Re: SMP and AUFS (Alex Rousskov)
> >    4. Re: squid workers question (Alex Rousskov)
> >    5. Re: squid workers question (Matus UHLAR - fantomas)
> >    6. Re: SSL Bump issues (Alex Rousskov)
> >    7. blocking or allowing specific youtube videos (Sohan Wijetunga)

Please edit your reply when responding to a digest email, deleting everything
not specific to your question.

> > Date: Mon, 20 Mar 2017 16:56:17 +0100
> > From: Antony Stone
> > To: [hidden email]
> > Subject: Re: [squid-users] Squid Transparent/intercept Issues
> >
> > On Monday 20 March 2017 at 16:26:40, christian brendan wrote:
> > > Hello Everyone,
> > >
> > > Squid Cache: Version 3.5.20
> > > OS: CentOS 7
> > >
> > > I have used squid for quite some times non transparently and it works,
> > > problem kicks in when: http_port 3128 transparent is enabled.
> > > Access denied error page shows up when transparent is enabled
> > > ERRORThe requested URL could not be retrieved
> >
> > How are you getting the packets to the Squid server for interception?
> >
> > Is the Squid server in the default route between your clients and the
> > Internet, or are you redirecting the packets to the Squid server somehow?
> >
> > Please give *details* of how you are intercepting and sending the packets
> > to Squid (eg: iptables rules, and which machine/s the rules are running
> > on).
> >
> >
> > Antony.

> ​@Antony.Stone
> 1. ​I am using mikrotik routerboard to redirect traffic, with this rule:
> dd action=dst-nat chain=dstnat comment="Redirect port 80 to SquidProxy"
> dst-port=80 protocol=tcp \ src-address=10.24.7.100 to-addresses=10.24.7.101
> to-ports=3128

Okay, so there's your problem, then.

You must not use DSTNAT on a separate router to send packets to Squid for
intercept.

(This used to work in older versions of Squid, but does not work any more and
is documented on the wiki, for example at
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat )

Note the wording: "NOTE: This configuration is given for use on the squid box."  
That means the NAT rules *must* be running on the Squid box itself and not (in
your case) on the Mikrotik router.

> 3.​ It is not in default route, packets is been redirected.

In that case you need to use policy routing to get the packets *unchanged* to
the Squid box - see the above link, and also
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

> ​4. There is no iptable rules, firewall is disabled for this test.

You have to have a REDIRECT rule on the machine running Squid to get it to see
the packets (once they are no longer being DNATted).

Please try to follow the guidelines at
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat and
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute and
then come back to us with details of what you've tried, if there are still
problems.


Regards,


Antony.

--
A user interface is like a joke.
If you have to explain it, it didn't work.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Transparent/intercept Issues

christian brendan
In reply to this post by christian brendan


One more thing,
Does this implies using two NICs (Network Interface Cards)?
And the squid server has to be in-between clients and the internet?

Regards




On Tue, Mar 21, 2017 at 5:29 PM, christian brendan <[hidden email]> wrote:
Thanks a lot for the information.
I will try this and give feedback.
Best Regards

On Tue, Mar 21, 2017 at 1:00 PM, <[hidden email]> wrote:
Send squid-users mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."


Today's Topics:

   1. Re: Squid Transparent/intercept Issues (Antony Stone)


----------------------------------------------------------------------

Message: 1
Date: Tue, 21 Mar 2017 12:12:01 +0100
From: Antony Stone <[hidden email]>
To: [hidden email]
Subject: Re: [squid-users] Squid Transparent/intercept Issues
Message-ID: <[hidden email]>
Content-Type: Text/Plain;  charset="utf-8"

On Tuesday 21 March 2017 at 12:00:05, christian brendan wrote:

> > Today's Topics:
> >    1. Re: Squid Transparent/intercept Issues (Antony Stone)
> >    2. Re: SMP and AUFS (Matus UHLAR - fantomas)
> >    3. Re: SMP and AUFS (Alex Rousskov)
> >    4. Re: squid workers question (Alex Rousskov)
> >    5. Re: squid workers question (Matus UHLAR - fantomas)
> >    6. Re: SSL Bump issues (Alex Rousskov)
> >    7. blocking or allowing specific youtube videos (Sohan Wijetunga)

Please edit your reply when responding to a digest email, deleting everything
not specific to your question.

> > Date: Mon, 20 Mar 2017 16:56:17 +0100
> > From: Antony Stone
> > To: [hidden email]
> > Subject: Re: [squid-users] Squid Transparent/intercept Issues
> >
> > On Monday 20 March 2017 at 16:26:40, christian brendan wrote:
> > > Hello Everyone,
> > >
> > > Squid Cache: Version 3.5.20
> > > OS: CentOS 7
> > >
> > > I have used squid for quite some times non transparently and it works,
> > > problem kicks in when: http_port 3128 transparent is enabled.
> > > Access denied error page shows up when transparent is enabled
> > > ERRORThe requested URL could not be retrieved
> >
> > How are you getting the packets to the Squid server for interception?
> >
> > Is the Squid server in the default route between your clients and the
> > Internet, or are you redirecting the packets to the Squid server somehow?
> >
> > Please give *details* of how you are intercepting and sending the packets
> > to Squid (eg: iptables rules, and which machine/s the rules are running
> > on).
> >
> >
> > Antony.

> ​@Antony.Stone
> 1. ​I am using mikrotik routerboard to redirect traffic, with this rule:
> dd action=dst-nat chain=dstnat comment="Redirect port 80 to SquidProxy"
> dst-port=80 protocol=tcp \ src-address=10.24.7.100 to-addresses=10.24.7.101
> to-ports=3128

Okay, so there's your problem, then.

You must not use DSTNAT on a separate router to send packets to Squid for
intercept.

(This used to work in older versions of Squid, but does not work any more and
is documented on the wiki, for example at
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat )

Note the wording: "NOTE: This configuration is given for use on the squid box."
That means the NAT rules *must* be running on the Squid box itself and not (in
your case) on the Mikrotik router.

> 3.​ It is not in default route, packets is been redirected.

In that case you need to use policy routing to get the packets *unchanged* to
the Squid box - see the above link, and also
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

> ​4. There is no iptable rules, firewall is disabled for this test.

You have to have a REDIRECT rule on the machine running Squid to get it to see
the packets (once they are no longer being DNATted).

Please try to follow the guidelines at
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat and
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute and
then come back to us with details of what you've tried, if there are still
problems.


Regards,


Antony.

--
A user interface is like a joke.
If you have to explain it, it didn't work.

                                                   Please reply to the list;
                                                         please *don't* CC me.


------------------------------

Subject: Digest Footer

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


------------------------------

End of squid-users Digest, Vol 31, Issue 61
*******************************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Transparent/intercept Issues

Antony Stone
On Wednesday 22 March 2017 at 11:59:14, christian brendan wrote:

> One more thing,
> Does this implies using two NICs (Network Interface Cards)?

No, this is not necessary.

> And the squid server has to be in-between clients and the internet?

That is the simpler way of doing it (in which case you would want two NICs,
yes).

Basically your choices are:

1. Put the Squid server in the route between clients and the Internet (so, it
has two NICs, each with an address on different networks), and an IPtables
REDIRECT rule to send port 80 & 443 traffic to Squid.

2. Put your Squid server (with one NIC) wherever you like, having just a
single IP address (and able to route to the Internet), and use policy routing
on your Mikrotik router to send any packets from clients heading for port 80 &
443 out on the Internet, to the Squid server instead (without doing DNAT and
changing the destination address).  You still need the REDIRECT rule on the
Squid server, and you must ensure that when Squid then makes its own request
out to the Internet, that goes out, and does not get intercepted by the
Mikrotik and sent back to Squid again :)


Antony.

--
Late in 1972 President Richard Nixon announced that the rate of increase of
inflation was decreasing.   This was the first time a sitting president used a
third derivative to advance his case for re-election.

 - Hugo Rossi, Notices of the American Mathematical Society

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...