But that not make the cache work, i search for months how to make transparent and cache proxy in 2.6 but no solution, lol, i return to 2.4 version cause that...
Mihai
· 2 years ago
That configuration works on my server, maybe the problem is somewhere else. More details would be good if you want some help.
I just came across this proxy and was wondering if you guys can help me out. I have the classic 192.168.0.0 subnet running at my organization with a hardware router that is also the gateway. I've been trying to get squid 2.6, running on Debian Etch with kernel 2.6, but with no success. I've gotten it to work by setting my IE to use a proxy but it doesn't seem to want to work transparently. I've entered the iptables entry but still, same result. My setup is below:
Compaq EN 1ghz, 512MB Ram with onboard Intel nic Installed Debian Etch from netinst CD with no packages. Configure Nic with IP 192.168.0.250 255.255.255.0 gw192.168.0.2 dns 4.2.2.1 Did apt-get install squid Configured squid.conf: http_port 3128 transparent acl lan src 192.168.0.0/24 http_access allow localhost http_access allow lan
do you have ip forwarding enabled ? cat /proc/sys/net/ipv4/ip_forward should show 1. if not then : echo 1 > /proc/sys/net/ipv4/ip_forward and if you want this to work after a reboot put it somewhere like rc.local or /etc/sysctl.conf
Rocky
· 2 years ago
Hey Mihai,
Ok so I've done the cat /proc/sys/net/ipv4/ip_forward thing and I not have ip forwarding on. I also made sure that the iptables entry is correct.
I still cannot do transparent proxy. It only works when I manually set IE to use a proxy. Any ideas?
Mihai
· 2 years ago
did you also do : echo 1 > /proc/sys/net/ipv4/ip_forward ?
if you run iptables -t nat -L -n -v does it show any packets matching the iptables rule that you added to PREROUTING ?
Rocky
· 2 years ago
Hey Mihai,
I appreciate the help bro. I edited my sysctl.conf file and added net.ipv4.ip_forward = 1 to it. So whenever I reboot, it automatically turns on ip forwarding. So I am not doing ehco 1 > /proc/sys/net/ipv4/ip_forward.
When I run iptables -t nat -L -n -v, this is what I get:
This machine has to act as the gateway for your local network. Do you have it configured this way? do you have a rule in the POSTROUTING chain for doing SNAT or something like that ? does that work ?
Rocky
· 2 years ago
Oh so it will not work if it's not the gateway? I have it set as a node on my lan because I have a hardware firewall, a Netopia Router. Do you know of anyway to make transparent proxy work in this type of scenerio?
Mihai
· 2 years ago
Of course it will not work. How would it be able to redirect packets to squid if the packets don't even get to it? You can set this as the gateway and still use your hardware router, but you have to add another rule to POSTROUTING.
iptables -t nat -A POSTROUTING -o $EXT_IF -s $LOCAL_NET -d ! $LOCAL_NET -j SNAT --to $EXT_IP $EXT_IF is your external interface ( the interface linked to the hardware router in your case ) $LOCAL_NET is 192.168.0.0/24 in your case $EXT_IP is the ip assigned to your external interface ( 192.168.0.250 ? )
you can use just one interface if you want and it can act as both an external and internal interface but you have to set it up to have two different ips ( in two different classes ) one for connecting to the hardware router and the other for your local network. You also have to set your workstations on your lan to have an ip in the same class as the one you set on your server for the local interface, and make the workstations use the server's ip as the gateway not the hardware router.
bunj
· 2 years ago
Rocky, you might be able to make it work in your scenario. You may be able to use WCCP or policy based routing.
For WCCP you have to have a WCCP capable device in the path of the web traffic. So if either your firewall or router can do this, have a look at the squid wiki and the docs for the router for setting up WCCP. I have it working with a cisco, works fine and isnt too hard to set up.
Policy routing is then you match traffic based on source, destination or port (or other things), then do something special to it. An example of this would be to match all web traffic passing through your router destined for an external address, you then redirect that traffic to your squid box. This all depends on how smart your router is.
In either of these the squid box does not need to be in the direct path to see all your traffic, you just need one of your existing devices to have one or both of the above so it can flick web traffic to squid and send the rest the usual way.
nigel348
· 2 years ago
Do we have a detailed reference to the configuration? Ta
Siddharth
· 1 year ago
Guys
The names of the directives seem to have changed in squid 2.6. Look at the comments in /etc/squid/squid.conf regarding transparent mode. Also see the sections pertaining to squid 2.6 in the second document:
even i was struggling with a transperant proxy with squid 2.6 and i am still strugling with it ! perhaps the default squid that comes with 10.3 isnt configured to be trasperant - i know this sounds lame but what else could be the solution....
httpd_accel commands are throwing errors , pre-routing and post routing doesnt work - i dont see no other justified answer to this other that - squid need to be compiled again with --enable-linux-netfilter
All Comments
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
I just came across this proxy and was wondering if you guys can help me out. I have the classic 192.168.0.0 subnet running at my organization with a hardware router that is also the gateway. I've been trying to get squid 2.6, running on Debian Etch with kernel 2.6, but with no success. I've gotten it to work by setting my IE to use a proxy but it doesn't seem to want to work transparently. I've entered the iptables entry but still, same result. My setup is below:
Compaq EN 1ghz, 512MB Ram with onboard Intel nic
Installed Debian Etch from netinst CD with no packages.
Configure Nic with IP 192.168.0.250 255.255.255.0 gw192.168.0.2 dns 4.2.2.1
Did apt-get install squid
Configured squid.conf:
http_port 3128 transparent
acl lan src 192.168.0.0/24
http_access allow localhost
http_access allow lan
Iptables entry:
iptables -t nat -A PREROUTING -i eth0 -p tcp -dport 80 -j REDIRECT -to-port
3128
Can someone help me figure this out?
Thanks,
cat /proc/sys/net/ipv4/ip_forward should show 1. if not then : echo 1 > /proc/sys/net/ipv4/ip_forward
and if you want this to work after a reboot put it somewhere like rc.local or /etc/sysctl.conf
Ok so I've done the cat /proc/sys/net/ipv4/ip_forward thing and I not have ip forwarding on. I also made sure that the iptables entry is correct.
I still cannot do transparent proxy. It only works when I manually set IE to use a proxy. Any ideas?
?
if you run iptables -t nat -L -n -v does it show any packets matching the iptables rule that you added to PREROUTING ?
I appreciate the help bro. I edited my sysctl.conf file and added net.ipv4.ip_forward = 1
to it. So whenever I reboot, it automatically turns on ip forwarding. So I am not doing ehco 1 > /proc/sys/net/ipv4/ip_forward.
When I run iptables -t nat -L -n -v, this is what I get:
Chain PREROUTING (policy ACCEPT 4 packets, 192 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
You can set this as the gateway and still use your hardware router, but you have to add another rule to POSTROUTING.
iptables -t nat -A POSTROUTING -o $EXT_IF -s $LOCAL_NET -d ! $LOCAL_NET -j SNAT --to $EXT_IP
$EXT_IF is your external interface ( the interface linked to the hardware router in your case )
$LOCAL_NET is 192.168.0.0/24 in your case
$EXT_IP is the ip assigned to your external interface ( 192.168.0.250 ? )
you can use just one interface if you want and it can act as both an external and internal interface but you have to set it up to have two different ips ( in two different classes ) one for connecting to the hardware router and the other for your local network.
You also have to set your workstations on your lan to have an ip in the same class as the one you set on your server for the local interface, and make the workstations use the server's ip as the gateway not the hardware router.
You may be able to use WCCP or policy based routing.
For WCCP you have to have a WCCP capable device in the path of the web traffic.
So if either your firewall or router can do this, have a look at the squid wiki and the docs for the router for setting up WCCP.
I have it working with a cisco, works fine and isnt too hard to set up.
Policy routing is then you match traffic based on source, destination or port (or other things), then do something special to it.
An example of this would be to match all web traffic passing through your router destined for an external address, you then redirect that traffic to your squid box. This all depends on how smart your router is.
In either of these the squid box does not need to be in the direct path to see all your traffic, you just need one of your existing devices to have one or both of the above so it can flick web traffic to squid and send the rest the usual way.
The names of the directives seem to have changed in squid 2.6. Look at the comments in /etc/squid/squid.conf regarding transparent mode. Also see the sections pertaining to squid 2.6 in the second document:
http://wiki.squid-cache.org/SquidFaq/Intercepti...
even i was struggling with a transperant proxy with squid 2.6 and i am still strugling with it ! perhaps the default squid that comes with 10.3 isnt configured to be trasperant - i know this sounds lame but what else could be the solution....
httpd_accel commands are throwing errors , pre-routing and post routing doesnt work - i dont see no other justified answer to this other that - squid need to be compiled again with --enable-linux-netfilter