Setting Squid Transparent Proxy

1

I want to setup Squid transparent proxy on my server. However, I also want to have Apache running. And HTTP/HTTPS should work on Apache as well as on proxy port.

So say:

  • Apache serves HTTP requests on port 80, HTTPS on 443
  • And I should have a proxy that supports HTTP and HTTPS.

Questions:

  1. How do I set the above up?
  2. How do I configure any tools that take in proxy server address and port. Usually tools take only 1 port. Will my proxy be running on 2 different ports for HTTP/HTTPS?

JPO

Posted 2012-07-20T02:19:44.140

Reputation: 11

Answers

1

The standard port for squid is 3128. It supports HTTP, HTTPS, and other protocols on this port. It also supports a transparent HTTP proxy mode using a separate port. For a transparent proxy to work, you will need NAT rules to forward web traffic to the proxy. I Setup a Squid Transparent Proxy using both ports.

There is no conflict with your Apache server on 80 and 443. Do review the configuration so that you don't cache your local server. Normally you should exempt connections to your local server from passing though the transparent proxy.

EDIT: To operate as a transparent proxy for your users you will need to configure your firewall to forward all web requests not originating from your squid server to the squid server. In iptables this is done with a DNAT configuration. I use shorewall to build my firewall and have a rule like this. ($SQUID resolves to the IP address of my squid server.)

HTTP(DNAT)        loc             dmz:$SQUID:3129  -      -    -   !192.168.0.0/16

You may also want to forward other ports commonly used for HTTP to squid. I forward the ports 81, 82, and 8080 among other to squid.

You may want to distribute your proxy configuration as I detailed in Setting up Squid Proxy on Ubuntu. This can handle HTTPS as well as HTTP.

BillThor

Posted 2012-07-20T02:19:44.140

Reputation: 9 384

Thanks. I am bit confused. All setup guides talk about forwarding traffic from port 80 to squid port. Will that not mean that I cannot run websites on my server? Basically what I need is something like this.

www.mywebsite.com -> a normal website running on the server, served through apache.

proxy.mywebsite.com:proxy_port --> a proxy server, that anyone can use. (proxy.mywebsite.com is not any website, but just a proxy server that I need) Does what is mentioned in the setup guide achieve this? – JPO – 2012-07-20T15:42:23.000

Yes you need to DNAT outgoing connections if you want to run a transparent proxy. (For IPv6 you likely just want to block access and force users to use the proxy.) – BillThor – 2012-07-20T23:01:36.437