squid 2.6 -- working on port 3128, but not 'transparent'
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
squid.conf:
http_port 10.10.1.180:3128 transparent
always_direct allow all
What else do I need to do in 2.6 that isn't in this 3.0 how-to?
I don't recall ever needing a always_direct line on Squid 2.x. You really should use a HOWTO which is specific to 2.6 if that's the version you are using.
That said, you haven't really explained what exactly is happening - saying it doesn't work doesn't say much, if anything. What is the Squid log showing? What about firewall logs? Are LAN clients able to ping the Squid box and hosts on the WAN? Are you getting any error messages in the browsers? Are the LAN clients able to use the proxy if manually configured to use it? Plus any other info you could provide would be great.
I don't recall ever needing a always_direct line on Squid 2.x.
I don't either, but for some reason, it was recommended in a HOW-TO. As I couldn't find any difference from my .conf file to requirements described in the 2.6 HOWTO, I started checking for problems encountered in all versions.
Quote:
Originally Posted by win32sux
You really should use a HOWTO which is specific to 2.6 if that's the version you are using.
You assume I didn't, before scrounging around for long shots. Hmm.
Quote:
Originally Posted by win32sux
What is the Squid log showing? What about firewall logs? Are LAN clients able to ping the Squid box and hosts on the WAN? Are you getting any error messages in the browsers? Are the LAN clients able to use the proxy if manually configured to use it? Plus any other info you could provide would be great.
LAN clients not only can ping the Squid box, they can browse the web when configured to use a proxy. I can change squid.conf to proxy on port 80, but even with the directive 'transparent,' truly transparent proxying does not occur. When a browser on the LAN is configured to use a direct connection to the Internet, the squid log records this:
2008/06/01 13:20:00| parseHttpRequest: NF getsockopt(SO_ORIGINAL_DST) failed: (92) Protocol not available
According to the info here, you need to make sure that you have run modprobe ip_conntrack before starting Squid. Do you have the module loaded (or support for conntrack compiled in)?
Two NICs on that box, one connected to the internet [DSL router, to be exact] & the other connected to the LAN.
Heh, yeah, it hit me later that what I was thinking when I asked didn't make sense, as REDIRECT only works on the local machine. Anyhow, it sounds like gilead might have found the culprit for your error message. Let us know.
According to the info here, you need to make sure that you have run modprobe ip_conntrack before starting Squid. Do you have the module loaded (or support for conntrack compiled in)?
Thanks for the link, it matches my error message, but modprobe ip_conntrack has been in my firewall rules all along. Since the iptables script is in /etc/init.d, and the name begins with "00" I'm reasonably confident it's being run on startup, before squid. Since transparent proxying is not necessary, just something that seemed like it could be neat to know how to do, like a parlor trick, I'm giving up on it, at least for now. Thanks for trying.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.