transparently proxy squid in a docker container

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

transparently proxy squid in a docker container

agent_js03
Hi all,

For some years I have used squid 3.5 with SSL bump and transparent proxy locally on my laptop. I have been using the following in my squid.conf:


ssl_bump server-first all
http_port 3128
http_port 3129 intercept
http_port 3130 ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/bluestar.crt key=/etc/squid/ssl/bluestar.pem


So if I want to manually set the proxy on the client side, I use port 3128, but by default all http/https traffic is redirected to port 3129 and 3130, respectively. Here are my iptables rules:


iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner root -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner dockeruser -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner root -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner dockeruser -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130


dockeruser is the user that starts the docker container, and proxy is the actual squid user. I didn't know which one I needed a rule for, so I just chose both.

As I said before, this worked great when I was running squid 3.5 on bare metal. Now I am running squid 4 in a docker container. I am seeing the following error many times in the squid logs when I try to use the transparent proxy:


2021/02/24 01:45:17| WARNING: Forwarding loop detected for:

GET /success.txt HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: identity,gzip,deflate

Pragma: no-cache

Via: 1.1 19deb96addda (squid/4.11)

X-Forwarded-For: 172.18.0.1

Cache-Control: no-cache

Host: detectportal.firefox.com


And from firefox I see this:

WARNING: Forwarding loop detected for

SSL_ERROR_RX_RECORD_TOO_LONG


I feel like I am very close, but I'm not sure what I am missing. Does someone else know of a better way to do this? I had assumed that since I publish the ports, I should be able to redirect to them the same way I would if squid were running locally.


I would appreciate any help in figuring this out.

Thanks,

-Justin



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: transparently proxy squid in a docker container

Amos Jeffries
Administrator
On 24/02/21 3:14 pm, Justin Michael Schwartzbeck wrote:

> Hi all,
>
> For some years I have used squid 3.5 with SSL bump and transparent proxy
> locally on my laptop. I have been using the following in my squid.conf:
>
>
> ssl_bump server-first all
> http_port 3128
> http_port 3129 intercept
> http_port 3130 ssl-bump intercept generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/bluestar.crt
> key=/etc/squid/ssl/bluestar.pem
>
>
> So if I want to manually set the proxy on the client side, I use port
> 3128, but by default all http/https traffic is redirected to port 3129
> and 3130, respectively. Here are my iptables rules:
>
>
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner
> root -j RETURN
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner
> dockeruser -j RETURN
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT
> --to-ports 3129
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner
> root -j RETURN
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner
> dockeruser -j RETURN
> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT
> --to-ports 3130
>

These rules are inside the container, yes?


>
> dockeruser is the user that starts the docker container, and proxy is
> the actual squid user. I didn't know which one I needed a rule for, so I
> just chose both.
>

Should be the "effective user" Squid runs as. Apparently "proxy" from
that description.


> As I said before, this worked great when I was running squid 3.5 on bare
> metal. Now I am running squid 4 in a docker container. I am seeing the
> following error many times in the squid logs when I try to use the
> transparent proxy:
>
>
> 2021/02/24 01:45:17| WARNING: Forwarding loop detected for:
>

Something on the network is routing traffic back to Squid. The most
common cause is missing or broken policy routing rules on a router.

Be aware that for containers or virtual systems the host OS may be
acting as a router for the container. As such it needs policy routing
like any other.
  see
<https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute>
has details of rules needed, assuming your host OS is a Linux.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: transparently proxy squid in a docker container

agent_js03
In reply to this post by agent_js03
I believe I have solved the forwarding loop issue by adding a preceding rule to -j ACCEPT all traffic originating from the docker network. Now I still have the SSL_ERROR_RX_RECORD_TOO_LONG issue, which seems to be unrelated. I will set logging to debug and do a wireshark session to see what might be going on.

On Feb 23, 2021, at 8:14 PM, Justin Michael Schwartzbeck <[hidden email]> wrote:
Hi all,

For some years I have used squid 3.5 with SSL bump and transparent proxy locally on my laptop. I have been using the following in my squid.conf:


ssl_bump server-first all
http_port 3128
http_port 3129 intercept
http_port 3130 ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/bluestar.crt key=/etc/squid/ssl/bluestar.pem


So if I want to manually set the proxy on the client side, I use port 3128, but by default all http/https traffic is redirected to port 3129 and 3130, respectively. Here are my iptables rules:


iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner root -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner dockeruser -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner root -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner dockeruser -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130


dockeruser is the user that starts the docker container, and proxy is the actual squid user. I didn't know which one I needed a rule for, so I just chose both.

As I said before, this worked great when I was running squid 3.5 on bare metal. Now I am running squid 4 in a docker container. I am seeing the following error many times in the squid logs when I try to use the transparent proxy:


2021/02/24 01:45:17| WARNING: Forwarding loop detected for:

GET /success.txt HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: identity,gzip,deflate

Pragma: no-cache

Via: 1.1 19deb96addda (squid/4.11)

X-Forwarded-For: 172.18.0.1

Cache-Control: no-cache

Host: detectportal.firefox.com


And from firefox I see this:

WARNING: Forwarding loop detected for

SSL_ERROR_RX_RECORD_TOO_LONG


I feel like I am very close, but I'm not sure what I am missing. Does someone else know of a better way to do this? I had assumed that since I publish the ports, I should be able to redirect to them the same way I would if squid were running locally.


I would appreciate any help in figuring this out.

Thanks,

-Justin



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: transparently proxy squid in a docker container

agent_js03
I ended up using redsocks for doing the transparent proxy, that is working perfectly for me now. I don't need to configure squid for this after all.

On Wed, Feb 24, 2021 at 7:21 AM Justin Schwartzbeck <[hidden email]> wrote:
I believe I have solved the forwarding loop issue by adding a preceding rule to -j ACCEPT all traffic originating from the docker network. Now I still have the SSL_ERROR_RX_RECORD_TOO_LONG issue, which seems to be unrelated. I will set logging to debug and do a wireshark session to see what might be going on.

On Feb 23, 2021, at 8:14 PM, Justin Michael Schwartzbeck <[hidden email]> wrote:
Hi all,

For some years I have used squid 3.5 with SSL bump and transparent proxy locally on my laptop. I have been using the following in my squid.conf:


ssl_bump server-first all
http_port 3128
http_port 3129 intercept
http_port 3130 ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/bluestar.crt key=/etc/squid/ssl/bluestar.pem


So if I want to manually set the proxy on the client side, I use port 3128, but by default all http/https traffic is redirected to port 3129 and 3130, respectively. Here are my iptables rules:


iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner root -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner dockeruser -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner root -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner dockeruser -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130


dockeruser is the user that starts the docker container, and proxy is the actual squid user. I didn't know which one I needed a rule for, so I just chose both.

As I said before, this worked great when I was running squid 3.5 on bare metal. Now I am running squid 4 in a docker container. I am seeing the following error many times in the squid logs when I try to use the transparent proxy:


2021/02/24 01:45:17| WARNING: Forwarding loop detected for:

GET /success.txt HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: identity,gzip,deflate

Pragma: no-cache

Via: 1.1 19deb96addda (squid/4.11)

X-Forwarded-For: 172.18.0.1

Cache-Control: no-cache

Host: detectportal.firefox.com


And from firefox I see this:

WARNING: Forwarding loop detected for

SSL_ERROR_RX_RECORD_TOO_LONG


I feel like I am very close, but I'm not sure what I am missing. Does someone else know of a better way to do this? I had assumed that since I publish the ports, I should be able to redirect to them the same way I would if squid were running locally.


I would appreciate any help in figuring this out.

Thanks,

-Justin



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users