Transparent Squid Proxy - ERR_EMPTY_RESPONSE

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Transparent Squid Proxy - ERR_EMPTY_RESPONSE

zo_av
I'm trying to redirect all of my subnet traffic to a transparent squid proxy
using iptables on the router gateway (the squid proxy is located in the
LAN).

I can browse sites that are https but can't access http sites, the error
that appears in the browser "ERR_EMPTY_RESPONSE"

also I got this errors in the cache.log file:
NF getsockopt(ORIGINAL_DST) failed on local=192.168.0.110:3129
NAT/TPROXY lookup failed to locate original IPs on local=192.168.0.110:3129

I'm using:
Squid version:3.5.27 The iptables lines that we used for the redirection:
192.168.0.110:3129 - the squid box port+IP. 192.168.0.1 - the router's IP.

iptables:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
192.168.0.110:3129

iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.110 --dport 3129 -j SNAT
--to-source 192.168.0.1

squid.conf

These are the lines that we have changed/added to the squid.conf:

acl localnet src 192.168.0.0/24

http_access allow localnet
http_port 3128
http_port 3129 intercept



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Transparent Squid Proxy - ERR_EMPTY_RESPONSE

Antony Stone
On Monday 27 August 2018 at 16:04:16, zo_av wrote:

> I'm trying to redirect all of my subnet traffic to a transparent squid
> proxy using iptables on the router gateway (the squid proxy is located in
> the LAN).

So long as you use policy routing for this, and not address translation, it's
possible.

> I can browse sites that are https but can't access http sites, the error
> that appears in the browser "ERR_EMPTY_RESPONSE"
>
> also I got this errors in the cache.log file:
> NF getsockopt(ORIGINAL_DST) failed on local=192.168.0.110:3129
> NAT/TPROXY lookup failed to locate original IPs on local=192.168.0.110:3129

Sounds like you're using NAT and not routing :(

> I'm using:
> Squid version:3.5.27 The iptables lines that we used for the redirection:
> 192.168.0.110:3129 - the squid box port+IP. 192.168.0.1 - the router's IP.
>
> iptables:
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
> 192.168.0.110:3129
>
> iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.110 --dport 3129 -j SNAT
> --to-source 192.168.0.1

Nope; won't work.

> squid.conf
>
> These are the lines that we have changed/added to the squid.conf:
>
> acl localnet src 192.168.0.0/24
>
> http_access allow localnet
> http_port 3128
> http_port 3129 intercept

Please see https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat and
be aware of the NOTE: NAT configuration will only work when used *on* the squid
box.

https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute will
help you with the setup you need in your situation.


Regards,


Antony.

--
The lottery is a tax for people who can't do maths.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users