Patchlog - Latest Comments in squid 2.6 transparent proxy

Re: squid 2.6 transparent proxy

Siddharth — Tue, 01 Jan 2008 22:23:46 -0000

Guys

The names of the directives seem to have changed in squid 2.6. Look at the comments in /etc/squid/squid.conf regarding transparent mode. Also see the sections pertaining to squid 2.6 in the second document:

http://wiki.squid-cache.org...

even i was struggling with a transperant proxy with squid 2.6 and i am still strugling with it ! perhaps the default squid that comes with 10.3 isnt configured to be trasperant - i know this sounds lame but what else could be the solution....

httpd_accel commands are throwing errors , pre-routing and post routing doesnt work - i dont see no other justified answer to this other that - squid need to be compiled again with --enable-linux-netfilter

Re: squid 2.6 transparent proxy

nigel348 — Mon, 12 Nov 2007 05:13:47 -0000

Do we have a detailed reference to the configuration? Ta

Re: squid 2.6 transparent proxy

bunj — Thu, 26 Apr 2007 11:31:01 -0000

Rocky, you might be able to make it work in your scenario.
You may be able to use WCCP or policy based routing.

For WCCP you have to have a WCCP capable device in the path of the web traffic.
So if either your firewall or router can do this, have a look at the squid wiki and the docs for the router for setting up WCCP.
I have it working with a cisco, works fine and isnt too hard to set up.

Policy routing is then you match traffic based on source, destination or port (or other things), then do something special to it.
An example of this would be to match all web traffic passing through your router destined for an external address, you then redirect that traffic to your squid box. This all depends on how smart your router is.

In either of these the squid box does not need to be in the direct path to see all your traffic, you just need one of your existing devices to have one or both of the above so it can flick web traffic to squid and send the rest the usual way.

Re: squid 2.6 transparent proxy

Mihai — Thu, 19 Apr 2007 03:16:27 -0000

Of course it will not work. How would it be able to redirect packets to squid if the packets don't even get to it?
You can set this as the gateway and still use your hardware router, but you have to add another rule to POSTROUTING.

iptables -t nat -A POSTROUTING -o $EXT_IF -s $LOCAL_NET -d ! $LOCAL_NET -j SNAT --to $EXT_IP
$EXT_IF is your external interface ( the interface linked to the hardware router in your case )
$LOCAL_NET is 192.168.0.0/24 in your case
$EXT_IP is the ip assigned to your external interface ( 192.168.0.250 ? )

you can use just one interface if you want and it can act as both an external and internal interface but you have to set it up to have two different ips ( in two different classes ) one for connecting to the hardware router and the other for your local network.
You also have to set your workstations on your lan to have an ip in the same class as the one you set on your server for the local interface, and make the workstations use the server's ip as the gateway not the hardware router.

Re: squid 2.6 transparent proxy

Rocky — Wed, 18 Apr 2007 18:05:08 -0000

Oh so it will not work if it's not the gateway? I have it set as a node on my lan because I have a hardware firewall, a Netopia Router. Do you know of anyway to make transparent proxy work in this type of scenerio?

Re: squid 2.6 transparent proxy

Mihai — Wed, 18 Apr 2007 17:47:50 -0000

This machine has to act as the gateway for your local network. Do you have it configured this way? do you have a rule in the POSTROUTING chain for doing SNAT or something like that ? does that work ?

Re: squid 2.6 transparent proxy

Rocky — Wed, 18 Apr 2007 16:26:14 -0000

Hey Mihai,

I appreciate the help bro. I edited my sysctl.conf file and added net.ipv4.ip_forward = 1
to it. So whenever I reboot, it automatically turns on ip forwarding. So I am not doing ehco 1 > /proc/sys/net/ipv4/ip_forward.

When I run iptables -t nat -L -n -v, this is what I get:

Chain PREROUTING (policy ACCEPT 4 packets, 192 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128

Re: squid 2.6 transparent proxy

Mihai — Wed, 18 Apr 2007 16:16:08 -0000

did you also do : echo 1 > /proc/sys/net/ipv4/ip_forward
?

if you run iptables -t nat -L -n -v does it show any packets matching the iptables rule that you added to PREROUTING ?

Re: squid 2.6 transparent proxy

Rocky — Wed, 18 Apr 2007 15:59:42 -0000

Hey Mihai,

Ok so I've done the cat /proc/sys/net/ipv4/ip_forward thing and I not have ip forwarding on. I also made sure that the iptables entry is correct.

I still cannot do transparent proxy. It only works when I manually set IE to use a proxy. Any ideas?

Re: squid 2.6 transparent proxy

Mihai — Wed, 18 Apr 2007 12:46:18 -0000

do you have ip forwarding enabled ?
cat /proc/sys/net/ipv4/ip_forward should show 1. if not then : echo 1 > /proc/sys/net/ipv4/ip_forward
and if you want this to work after a reboot put it somewhere like rc.local or /etc/sysctl.conf

Re: squid 2.6 transparent proxy

Rocky — Wed, 18 Apr 2007 09:28:53 -0000

Hey guys,

I just came across this proxy and was wondering if you guys can help me out. I have the classic 192.168.0.0 subnet running at my organization with a hardware router that is also the gateway. I've been trying to get squid 2.6, running on Debian Etch with kernel 2.6, but with no success. I've gotten it to work by setting my IE to use a proxy but it doesn't seem to want to work transparently. I've entered the iptables entry but still, same result. My setup is below:

Compaq EN 1ghz, 512MB Ram with onboard Intel nic
Installed Debian Etch from netinst CD with no packages.
Configure Nic with IP 192.168.0.250 255.255.255.0 gw192.168.0.2 dns 4.2.2.1
Did apt-get install squid
Configured squid.conf:
http_port 3128 transparent
acl lan src 192.168.0.0/24
http_access allow localhost
http_access allow lan

Iptables entry:
iptables -t nat -A PREROUTING -i eth0 -p tcp -dport 80 -j REDIRECT -to-port
3128

Can someone help me figure this out?

Thanks,

Re: squid 2.6 transparent proxy

swenska — Wed, 14 Mar 2007 19:55:19 -0000

if the redirect don't work, try this:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Re: squid 2.6 transparent proxy

Mihai — Fri, 09 Mar 2007 09:23:00 -0000

That configuration works on my server, maybe the problem is somewhere else. More details would be good if you want some help.

Re: squid 2.6 transparent proxy

Marco A. Barragan — Fri, 09 Mar 2007 08:48:57 -0000

But that not make the cache work, i search for months how to make transparent and cache proxy in 2.6 but no solution, lol, i return to 2.4 version cause that...