Using squid as the default proxy server.

shobhit · 09-24-2007, 03:05 AM

Hi,

I have a squid server (squid-2.6.STABLE16) running on Fedora 7 standalone box.
Squid is up and running and I can set Firefox to use proxy server 127.0.0.1 and port 3128 to access the net through squid.
I can also set Firefox not to use any proxy which case it directly connects to the net without going through squid.

My problem is that I want all traffic to go through squid, irrespective whether i set the proxy or not.

Searching the net revealed that it is a two step process
1. to set squid to run as a transparent server, and
2. use iptable to redirect all 80. 8080 traffic to 3128.

In version 2.6 it appears we just need to add transparent to http_port line
which I have done.
And I am redirecting traffic by setting the following iptable rules

Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Here's my squid.conf

Code:

[sho /usr/local/squid/etc]$ cat squid.conf | grep -v ^# | grep -v ^$
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.1.0/24 192.168.2.0/24
http_access allow our_networks
acl localnet src 192.168.1.3/24
http_access allow  localnet
icp_access  allow  localnet
http_access allow  localhost
icp_access allow all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_dir ufs /usr/local/squid/var/cache 100 16 256
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mgr sho@localhost.localdomain
cache_effective_user squid
cache_effective_group squid
coredump_dir /usr/local/squid/var/cache

I'd appreciate any help to fix this.
Thanks.

shobhit · 09-24-2007, 03:09 AM

iptables -L does not show the two lines above that I have entered and Linux accepted without any errors.

Is that ok? Or, do I need to do that some other way.
I am using iptables v1.3.8 on Fedora 7.

Code:

[root@localhost rc.d]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
[root@localhost rc.d]# iptables --version
iptables v1.3.8

I'd appreciate any help to fix this. :-)

Thanks.

win32sux · 09-24-2007, 05:35 PM

Getting Squid to work transparently on localhost is a little tricky compared to how simple it is to get it to work transparently on a LAN. I tried to figure it out once but got impatient and just dropped it. I ended-up using an iptables rule to make sure any outgoing HTTP/HTTPS traffic was generated by the Squid user. So if my parents would disable the proxy setting in Firefox, they wouldn't be able to access the WWW. They are forced to use Squid, just not transparently. So I'll be monitoring this thread in the hopes that I too can learn the proper way to do a transparent setup on localhost.

yongitz · 10-03-2007, 11:03 PM

Quote:

Originally Posted by shobhit

iptables -L does not show the two lines above that I have entered and Linux accepted without any errors.

you can't really see the output of the command above with your command.. change it to

Code:

iptables -t nat -L

win32sux · 10-04-2007, 03:09 AM

Thanks for bumping this. I decided to give the whole "transparent proxy on localhost" thing another shot and I got it working. It was basically just a matter of adding a couple rules to the OUTPUT chain of the nat table. I also had to tweak a Squid ACL, as the source IP turns up as the IP of the NIC, not localhost. Anyhow, here's the rules:

Code:

iptables -t nat -A OUTPUT -p TCP --dport 80 \
-m owner --uid-owner squid -j ACCEPT

iptables -t nat -A OUTPUT -p TCP --dport 80 \
-j REDIRECT --to-ports 3128

The first rule just makes sure that if the packet was generated by Squid nothing should be done to it (otherwise we'll end-up in an infinite loop). The second rule redirects any other matching packets. That said, considering that transparent redirection is only good for HTTP, I won't be doing this on my box. It would be kinda pointless, as I'd have to specify the HTTPS proxy in Firefox anyway. I'll just stick with my old iptables rules that do nothing but make sure the outgoing packets come from Squid. So basically I'm just posting this in case it helps you.

shobhit · 10-04-2007, 09:49 PM

iptables -t nat -L does the trick alright.

Also the iptable rules mentioned by win32sux above give me an access denied error as compared to page not found without the rules. So I guess the rules must be doing something right... :-)
Please tell me more about.

Code:

I also had to tweak a Squid ACL, as the source IP turns up as the IP of the NIC, not localhost.

win32sux · 10-05-2007, 03:00 AM

Quote:

Originally Posted by shobhit

iptables -t nat -L does the trick alright.

Also the iptable rules mentioned by win32sux above give me an access denied error as compared to page not found without the rules. So I guess the rules must be doing something right... :-)
Please tell me more about.

Look at your Squid's access log when you get the error. You'll see what the request looks like, and then you can determine what needs to be changed in the ACLs. For me the only thing that had changed was that instead of a 127.0.0.1 (localhost) the requests now had my NIC's source IP.

shobhit · 10-05-2007, 11:17 AM

Access log says instead of localhost (127.0.0.1) the request is now coming from my external ip address, that is dynamically given by my ISP whenever I connect to the net. I am using PPPoE. So I guess that is then end of transparent connection through squid for me... Or is there still hope?

win32sux · 10-07-2007, 05:55 AM

Quote:

Originally Posted by shobhit

Access log says instead of localhost (127.0.0.1) the request is now coming from my external ip address, that is dynamically given by my ISP whenever I connect to the net. I am using PPPoE. So I guess that is then end of transparent connection through squid for me... Or is there still hope?

I would think there is hope. I'm sure this has been worked-around before. My guess is that with the proper iptables rules you might be able to get the requests to look like they are from 127.0.0.1, but I haven't had time to tinker with that. One rather nasty workaround I can think of is to install a dynamic DNS update client on your box (such as those offered by DynDNS.com, NoIP.com, etc), so that their is always a domain name assigned to your IP. That way, you can just ACL the domain name. But like I said, it's a nasty workaround IMHO.

That said, I'd like to ask you two questions: 1) Considering that you will still have to manually specify the proxy for HTTPS regardless, are you still willing to do this localhost transparent proxy thing? 2) What is the main objective you wish to accomplish by doing this localhost transparent proxy thing?

shobhit · 10-07-2007, 09:00 AM

Quote:

Originally Posted by win32sux

I would think there is hope. I'm sure this has been worked-around before. My guess is that with the proper iptables rules you might be able to get the requests to look like they are from 127.0.0.1, but I haven't had time to tinker with that. One rather nasty workaround I can think of is to install a dynamic DNS update client on your box (such as those offered by DynDNS.com, NoIP.com, etc), so that their is always a domain name assigned to your IP. That way, you can just ACL the domain name. But like I said, it's a nasty workaround IMHO.

That said, I'd like to ask you two questions: 1) Considering that you will still have to manually specify the proxy for HTTPS regardless, are you still willing to do this localhost transparent proxy thing? 2) What is the main objective you wish to accomplish by doing this localhost transparent proxy thing?

I guess it now worth installing dynamic DNS etc...
Secondly, I changed my rental plan from the month of October from an unlimited one to a limited one, therefore, I now manually connect to the net when required, instead of connecting automatically whenever I switch on the machine. This means I have to manually start squid also when I connect.
So having a manual step in between kind of beats the whole point of transparency.

I am trying to use squid as a cache, so that I appear to have a faster connection and also save some bandwidth cost.
I am trying to make it transparent because I learned on the net that I can. I thought well lets give it a try, and also I will learn something new. Transparent proxy is not my main objective, proxy is, and I have achieved that, thanks to everyone who took the time to reply to this thread

michal017 · 11-23-2007, 09:37 PM

Quote:

Originally Posted by win32sux

I also had to tweak a Squid ACL, as the source IP turns up as the IP of the NIC, not localhost.

I have the exact same problem.. I'm wondering why no 'squid as transparent proxy' tutorial mentions this..

michal017 · 11-23-2007, 10:36 PM

what I did (as a workaround) is I put this to squid.conf:
acl localnet1 src 10.0.0.0/24
acl localnet2 src 192.168.0.0/16
http_access allow localnet1
http_access allow localnet2

win32sux · 11-24-2007, 02:57 AM

Quote:

Originally Posted by michal017

what I did (as a workaround) is I put this to squid.conf:
acl localnet1 src 10.0.0.0/24
acl localnet2 src 192.168.0.0/16
http_access allow localnet1
http_access allow localnet2

That doesn't really help someone with a dynamic public IP, though. Yes, for those of us behind a router it's a no-brainer, but for those who are directly connected to the Internet it's a different story.

EDIT: I'm thinking that since this is on an individual PC, one could simply allow everything (in Squid). In other words, have something like "http_access allow Safe_ports all" in there. It sucks, I know, but one would simply be more reliant on the local firewall to handle the network access aspect of security, and one would never have to worry about the IP changing, etc. With the proper INPUT rules, nobody from the outside would be able to connect to Squid.