10

Server Details

Squid Transparent Proxy Version: 3.3.8
OS: Ubuntu Server 14.04
Server IP: 192.168.1.3

Squid config file

(excluding comments using grep)

root@ubuntu:~# grep -v '^$\|^\s*\#' /etc/squid3/squid.conf
acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT
acl mylocalnetwork src 192.168.1.0/24
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access allow mylocalnetwork
http_access deny manager
http_access allow localhost
http_access deny all
http_port 3128 transparent
cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /opt/squid/cache 10000 14 256
maximum_object_size 128000 KB
cache_swap_low 95
cache_swap_high 99
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern -i \.(gif|png|jp?g|ico|bmp|tiff?)$ 10080 95% 43200
refresh_pattern -i \.(rpm|cab|deb|exe|msi|msu|zip|tar|xz|bz|bz2|lzma|gz|tgz|rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)$ 10080 90% 43200
refresh_pattern -i \.(avi|iso|wav|mid|mp?|mpeg|mov|3gp|wm?|swf|flv|x-flv|axd)$ 43200 95% 432000
refresh_pattern -i \.(html|htm|css|js)$ 1440 75% 40320
refresh_pattern -i \.index.(html|htm)$ 0 75% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 1440 90% 10080
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
store_avg_object_size 13 KB
visible_hostname localhost

Squid logs

-------------------------------------------------------------
-----------------------------------------------------------
----------------------------------------------------------
2014/07/03 22:11:57| ERROR: No forward-proxy ports configured.
2014/07/03 22:11:57| ERROR: No forward-proxy ports configured.
2014/07/03 22:11:57| ERROR: No forward-proxy ports configured.
2014/07/03 22:11:57| ERROR: No forward-proxy ports configured.
2014/07/03 22:11:57| ERROR: No forward-proxy ports configured.
2014/07/03 22:11:57| ERROR: No forward-proxy ports configured.
2014/07/03 22:11:57| ERROR: No forward-proxy ports configured.
2014/07/03 22:11:57| ERROR: No forward-proxy ports configured.
2014/07/03 22:11:57| ERROR: No forward-proxy ports configured.
2014/07/03 22:11:57| ERROR: No forward-proxy ports configured.
2014/07/03 22:11:57| ERROR: No forward-proxy ports configured.
2014/07/03 22:11:57| ERROR: No forward-proxy ports configured.
2014/07/03 22:11:57| Loaded Icons.
2014/07/03 22:11:57| HTCP Disabled.
2014/07/03 22:11:57| Pinger socket opened on FD 13
2014/07/03 22:11:57| Squid plugin modules loaded: 0
2014/07/03 22:11:57| Adaptation support is off.
2014/07/03 22:11:57| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 11 flags=41
2014/07/03 22:11:57| Done reading /opt/squid/cache swaplog (2 entries)
2014/07/03 22:11:57| Finished rebuilding storage from disk.
2014/07/03 22:11:57|         2 Entries scanned
2014/07/03 22:11:57|         0 Invalid entries.
2014/07/03 22:11:57|         0 With invalid flags.
2014/07/03 22:11:57|         2 Objects loaded.
2014/07/03 22:11:57|         0 Objects expired.
2014/07/03 22:11:57|         0 Objects cancelled.
2014/07/03 22:11:57|         0 Duplicate URLs purged.
2014/07/03 22:11:57|         0 Swapfile clashes avoided.
2014/07/03 22:11:57|   Took 0.08 seconds ( 24.94 objects/sec).
2014/07/03 22:11:57| Beginning Validation Procedure
2014/07/03 22:11:57|   Completed Validation Procedure
2014/07/03 22:11:57|   Validated 2 Entries
2014/07/03 22:11:57|   store_swap_size = 12.00 KB
2014/07/03 22:11:57| ERROR: No forward-proxy ports configured.
2014/07/03 22:11:57| pinger: Initialising ICMP pinger ...
2014/07/03 22:11:57| pinger: ICMP socket opened.
2014/07/03 22:11:57| pinger: ICMPv6 socket opened
2014/07/03 22:11:57| Pinger exiting.
2014/07/03 22:11:58| storeLateRelease: released 0 objects

Iptables rules

(using single interface "eth0" for time being)

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.3:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

Client Configuration

The problem is I could not access internet on my client machines with Squid's IP as Gateway & Primary DNS, as shown below.

On a Ubuntu client

auto eth0
iface eth0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.3

dns-nameservers 192.168.1.3

On a Windows client

enter image description here

When I change DNS on Ubuntu client to dns-nameservers 192.168.1.1 & Windows client to the same ip of router 192.168.1.1 instead of squid ip(192.168.1.3), then I could access internet on both. This may not be the way to do as the page may be rendered directly from router and may not be from squid server using cache(of-course I could see the logs being generated in /var/log/squid3/cache.log). I also noticed my router blinking for the pages which are already accessed, this may mean it sends the request over internet instead of fetching from squid cache.

I'm still not compromised. If I could still access the visited pages on my client machines from cache having the internet shut down, I will be satisfied.

What is the procedure to configure clients for Squid Transparent Proxy?, anybody guide me please?

Update 1

root@ubuntu:~# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:192.168.1.3:3128
    0     0 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 3128

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      eth0    192.168.1.0/24       0.0.0.0/0

Update 2

It's working on previous edition Ubuntu 10.04(lucid) with squid version Squid Cache: Version 2.7.STABLE7, and below is the squid config file worked and I could access internet on client machines when client's gateway & DNS are set to lucid's ip:

root@lucid:~# grep -v '^$\|^\s*\#' /etc/squid/squid.conf
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl mynet src 192.168.1.0/24    # RFC1918 possible internal network
acl SSL_ports port 443      # https
acl SSL_ports port 563      # snews
acl SSL_ports port 873      # rsync
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl Safe_ports port 631     # cups
acl Safe_ports port 873     # rsync
acl Safe_ports port 901     # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow mynet
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
cache_mem 8 MB
maximum_object_size_in_memory 32 KB
cache_dir ufs /var/spool/squid 2000 16 256
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern (Release|Package(.gz)*)$    0   20% 2880
refresh_pattern .       0   20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
offline_mode on
coredump_dir /var/spool/squid

I'm not sure why it's not working on Ubuntu 14.04 with Squid version Squid Cache: Version 3.3.8. I'm definitely missing some settings in new version of squid or in new destro!.

user53864
  • 1,653
  • 8
  • 36
  • 66
  • 1
    I might be stating the obvious, but isn't the whole point of a transparent proxy configuration that you DON'T configure the clients? – HBruijn Jul 04 '14 at 17:00
  • No, just mentioned the server configs if it could better debug the issue!. – user53864 Jul 04 '14 at 17:30
  • I'm not understanding how to configure squid clients. I could not access internet on client when I use squid's ip(192.168.1.3) as gateway and primary dns server. I think this is the proper way to configure clients! – user53864 Jul 04 '14 at 17:45
  • No warnings or error messages from `squid3 -k parse`, it's all clean. – user53864 Jul 06 '14 at 04:17
  • what is the output of this command: "iptables -t nat -L -n -v" ? – TBI Infotech Jul 08 '14 at 08:22
  • @TBI Infotech:I'll post the output in two hours, I'm not in front of the machine. – user53864 Jul 08 '14 at 11:43
  • I updated my question with the output! – user53864 Jul 08 '14 at 15:29
  • Anybody already managing squid transparent proxy can try it on ubuntu 14.04 and confirm if it's not a bug in squid-3.3.8? – user53864 Jul 17 '14 at 11:19
  • I am using the following method to configured squid transperant proxy successfully. [https://linuxtechlab.com/squid-transparent-proxy-server-complete-configuration/](https://linuxtechlab.com/squid-transparent-proxy-server-complete-configuration/) I think it will help for someone. – akash May 31 '18 at 05:52

6 Answers6

15

I am not sure, but please take a look with this checklist:

Edit the the squid.conf file and change the following line to enable transparent proxy mode:

http_port 3128

to

http_port 3128 intercept

Then

service squid restart 
service squid reload

Add an entry to iptables NAT table to port-forward inbound traffic on the inside interface (LAN side) to the Squid server on port 3128 (assuming eth0 is the inside interface with the IP address 192.168.1.3

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.3:3128

Now you can look at your iptables, default filter table, and NAT table, using the following commands:

iptables -L -t filter

iptables -L -t nat

Now you can add (append) to the iptable filter table with the following commands, to accept input on port 3128 for Squid

iptables -t filter -A INPUT -p tcp --dport 3128 -j ACCEPT

Also Try this:

You need both one 'intercept' and one 'forward proxy' port in config even if you don't use forward proxy:

http_port 3129 

http_port 3128 intercept

Note: The transparent option has been deprecated by intercept option since 2010.

Alexis Wilke
  • 2,057
  • 1
  • 18
  • 33
TBI Infotech
  • 1,536
  • 9
  • 15
  • I already changed it to `intercept` as suggested by HBruijn. Iptables nat rules are already in place and INPUT to proxy server is not blocked for any port/source, all incoming packets are allowed for now. – user53864 Jul 11 '14 at 06:32
  • can you check port 3129 instead of 3128 as http_port 3129 intercept? – TBI Infotech Jul 11 '14 at 06:51
  • @user53864 check the updated answer – TBI Infotech Jul 11 '14 at 07:03
  • I tried!, no luck, the result is same. I tried with 3129 port in the squid and also replaced the iptables rules with the new port. I still could not access internet on my client machines. – user53864 Jul 11 '14 at 07:25
  • After adding both in squid.conf,what is log report of squid. http_port 3129 http_port 3128 intercept – TBI Infotech Jul 11 '14 at 07:32
  • Again I tried `http_port 3129` `http_port 3128 intercept` in squid config with iptables rules forwarding to 3128. No luck. Logs are clear, here is the log link for reference: http://pastebin.com/jx1LDXvz – user53864 Jul 11 '14 at 07:44
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/15675/discussion-between-user53864-and-tbi-infotech). – user53864 Jul 11 '14 at 07:50
  • Is the nat needed? I have a router inbetween my clients and the squid box, that can redirect 80 to 3128? I'm just wondering if squid reads the nat rules or something? – user230910 Mar 30 '16 at 13:26
2

According to the Squid WiKi you have the wrong setting in the http_port option, with Squid 3.1+ and DNAT it should be intercept instead of transparent.

http_port 3128 intercept

Although the output of your Squid log does seem to indicate intercepted sockets being active.

A second thing is that the Linux server needs to allow TCP-IP forwarding with sysctl net.ipv4.ip_forward=1

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • I changed the settings to `intercept`, the result is same that I could not access internet on clients with `192.168.1.3` as gateway and primary dns. Yes, TCP-IP forwarding is enabled in sysctl.conf. – user53864 Jul 04 '14 at 17:35
  • Actually what's the proper way to setup squid client?. Should the DNS be Squid's IP(192.168.1.3) or general router IP(192.168.1.1)? – user53864 Jul 04 '14 at 17:40
  • The normal setup is that the router/default gateway a client receives on their DHCP request has a redirect rule, that intercepts outgoing traffic to TCP port 80, and redirects those packets to the transparent proxy. There they'll be processed and the results returned to the client. The DNS used doesn't matter. – HBruijn Jul 06 '14 at 09:52
  • So it should just work with the gateway setting at the clients, I still don't know why I couldn't access internet on clients. – user53864 Jul 06 '14 at 13:23
  • I updated my post! – user53864 Jul 09 '14 at 13:10
2

Error: No forward-proxy ports configure (in /var/log/squid3/cache.log)

Read Wiki.

In my experience, transparent proxy need NAT port into squid.conf (both of them)

 http_port 3128
 http_port 8080 intercept
sebix
  • 4,175
  • 2
  • 25
  • 45
0

After just adding "intercept" to the http_port option, I got still issues in combination with iptables redirect mode, if clients are configured to use a proxy:

"ERROR: No forward-proxy ports configured." and "WARNING: Forwarding loop detected for:"

After going through the above statements I use this, as the best outcome now:

a) use a dual port entry in squid.conf like this:

http_port 8080
http_port 3128 intercept

This will present port 8080 as ordinary forward port for client side configuration and gives a second port to forward redirected traffic to.

b) use an iptables rule like this:

iptables -A PREROUTING -t NAT -i $LAN_IF -p tcp --dport 80 -j REDIRECT --to-port 3128

Like this you will have a classic proxy port (8080) to configure on your clients and an enforcing port for non-encrypted traffic.

Why you should want to do this? Well, if you don't like to have HTTPS-traffic bypassing the proxy (the need to configure ordinary clients anyways) and if you want to support, but don't want to (or cannot) configure, less smart devices or programs.

  • On Raspbian (and probably others) that iptables command gives the error "iptables v1.4.21: can't initialize iptables table `NAT': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.". Changing "-t NAT" to "-t nat" resolves this. – glennr Feb 21 '18 at 23:48
-1

In Ubuntu 14.04 Squid Transparent Proxy Version: 3.3.8, you must to remove transparent from the configuration http_port 3128 i mean just leave

http_port 3128

not

http_port 3128 transparent

for some reason is not working now.

-2

with :

http_port 3128
http_port 8080 intercept

it works

(Error: No forward-proxy ports configure in /var/log/squid3/cache.log )

HBruijn
  • 72,524
  • 21
  • 127
  • 192