Squid Transparent Proxy Version: 3.3.8 OS: Ubuntu Server 14.04 Server IP: 192.168.1.3
(excluding comments using grep)
root@ubuntu:~# grep -v '^$\|^\s*\#' /etc/squid3/squid.conf acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl mylocalnetwork src 192.168.1.0/24 http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access allow mylocalnetwork http_access deny manager http_access allow localhost http_access deny all http_port 3128 transparent cache_mem 8 MB maximum_object_size_in_memory 32 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA cache_dir aufs /opt/squid/cache 10000 14 256 maximum_object_size 128000 KB cache_swap_low 95 cache_swap_high 99 coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern -i \.(gif|png|jp?g|ico|bmp|tiff?)$ 10080 95% 43200 refresh_pattern -i \.(rpm|cab|deb|exe|msi|msu|zip|tar|xz|bz|bz2|lzma|gz|tgz|rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)$ 10080 90% 43200 refresh_pattern -i \.(avi|iso|wav|mid|mp?|mpeg|mov|3gp|wm?|swf|flv|x-flv|axd)$ 43200 95% 432000 refresh_pattern -i \.(html|htm|css|js)$ 1440 75% 40320 refresh_pattern -i \.index.(html|htm)$ 0 75% 10080 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 1440 90% 10080 quick_abort_min 0 KB quick_abort_max 0 KB quick_abort_pct 100 store_avg_object_size 13 KB visible_hostname localhost
------------------------------------------------------------- ----------------------------------------------------------- ---------------------------------------------------------- 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| Loaded Icons. 2014/07/03 22:11:57| HTCP Disabled. 2014/07/03 22:11:57| Pinger socket opened on FD 13 2014/07/03 22:11:57| Squid plugin modules loaded: 0 2014/07/03 22:11:57| Adaptation support is off. 2014/07/03 22:11:57| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 11 flags=41 2014/07/03 22:11:57| Done reading /opt/squid/cache swaplog (2 entries) 2014/07/03 22:11:57| Finished rebuilding storage from disk. 2014/07/03 22:11:57| 2 Entries scanned 2014/07/03 22:11:57| 0 Invalid entries. 2014/07/03 22:11:57| 0 With invalid flags. 2014/07/03 22:11:57| 2 Objects loaded. 2014/07/03 22:11:57| 0 Objects expired. 2014/07/03 22:11:57| 0 Objects cancelled. 2014/07/03 22:11:57| 0 Duplicate URLs purged. 2014/07/03 22:11:57| 0 Swapfile clashes avoided. 2014/07/03 22:11:57| Took 0.08 seconds ( 24.94 objects/sec). 2014/07/03 22:11:57| Beginning Validation Procedure 2014/07/03 22:11:57| Completed Validation Procedure 2014/07/03 22:11:57| Validated 2 Entries 2014/07/03 22:11:57| store_swap_size = 12.00 KB 2014/07/03 22:11:57| ERROR: No forward-proxy ports configured. 2014/07/03 22:11:57| pinger: Initialising ICMP pinger ... 2014/07/03 22:11:57| pinger: ICMP socket opened. 2014/07/03 22:11:57| pinger: ICMPv6 socket opened 2014/07/03 22:11:57| Pinger exiting. 2014/07/03 22:11:58| storeLateRelease: released 0 objects
(using single interface "eth0" for time being)
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.3:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
The problem is I could not access internet on my client machines with Squid's IP as Gateway & Primary DNS, as shown below.
auto eth0 iface eth0 inet static address 192.168.1.10 netmask 255.255.255.0 gateway 192.168.1.3 dns-nameservers 192.168.1.3
When I change DNS on Ubuntu client to dns-nameservers 192.168.1.1 & Windows client to the same ip of router 192.168.1.1 instead of squid ip(192.168.1.3), then I could access internet on both. This may not be the way to do as the page may be rendered directly from router and may not be from squid server using cache(of-course I could see the logs being generated in /var/log/squid3/cache.log). I also noticed my router blinking for the pages which are already accessed, this may mean it sends the request over internet instead of fetching from squid cache.
I'm still not compromised. If I could still access the visited pages on my client machines from cache having the internet shut down, I will be satisfied.
What is the procedure to configure clients for Squid Transparent Proxy?, anybody guide me please?
root@ubuntu:~# iptables -t nat -L -n -v Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.3:3128 0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * eth0 192.168.1.0/24 0.0.0.0/0
It's working on previous edition Ubuntu 10.04(lucid) with squid version Squid Cache: Version 2.7.STABLE7, and below is the squid config file worked and I could access internet on client machines when client's gateway & DNS are set to lucid's ip:
root@lucid:~# grep -v '^$\|^\s*\#' /etc/squid/squid.conf acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl mynet src 192.168.1.0/24 # RFC1918 possible internal network acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow mynet http_access deny all icp_access allow localnet icp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? cache_mem 8 MB maximum_object_size_in_memory 32 KB cache_dir ufs /var/spool/squid 2000 16 256 access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] upgrade_http0.9 deny shoutcast acl apache rep_header Server ^Apache broken_vary_encoding allow apache extension_methods REPORT MERGE MKACTIVITY CHECKOUT hosts_file /etc/hosts offline_mode on coredump_dir /var/spool/squid
I'm not sure why it's not working on Ubuntu 14.04 with Squid version Squid Cache: Version 3.3.8. I'm definitely missing some settings in new version of squid or in new destro!.
I might be stating the obvious, but isn't the whole point of a transparent proxy configuration that you DON'T configure the clients? – HBruijn Jul 4 '14 at 17:00
No, just mentioned the server configs if it could better debug the issue!. – user53864 Jul 4 '14 at 17:30
I'm not understanding how to configure squid clients. I could not access internet on client when I use squid's ip(192.168.1.3) as gateway and primary dns server. I think this is the proper way to configure clients! – user53864 Jul 4 '14 at 17:45
No warnings or error messages from squid3 -k parse, it's all clean. – user53864 Jul 6 '14 at 4:17
what is the output of this command: "iptables -t nat -L -n -v" ? – TBI Infotech Jul 8 '14 at 8:22
up vote
5
down vote
+25
I am not sure,but please take a look with this checklist:
Edit the the squid.conf file and change the following line to enable transparent proxy mode:
http_port 3128
to http_port 3128 intercept
service squid restart service squid reload
Add an entry to iptables NAT table to port-forward inbound traffic on the inside interface (LAN side) to the Squid server on port 3128 (assuming eth0 is the inside interface with the IP address 192.168.1.3
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to (cont.) 192.168.1.3:3128
Now you can look at your iptables, default filter table, and nat table, using the following commands
iptables -L -t filter iptables -L -t nat
Now you can add (append) to the iptable filter table with the following commands, to accept input on port 3128 for Squid
iptables -t filter -A INPUT -p tcp --dport 3128 -j ACCEPT
Also Try this
You need both one 'intercept' and one 'forward proxy' port in config even if you don't use forward proxy:
http_port 3129
http_port 3128 intercept
Note: The "transparent" option has been deprecated by "intercept" option since 2010.
Squid is a very well known and vastly used cache proxy server for the common web protocols such as HTTP, HTTPS, FTP and more. It caches frequently accessed web pages and thus reduces bandwidth and response time. Squid is available for almost all the platforms including Windows. It is open source and available under GNU/GPL.
Advantages of setting up Squid as Transparent Proxy include the fact that you don't need to configure all the machines on your LAN to connect to Squid manually. All the traffic would be redirected to the Squid Listening Port automatically and your Ubuntu Box would act like a Router.
Follow these steps to set up a Transparent Proxy Server with Squid3 on Ubuntu Lucid (10.04).
1. Install Ubuntu Lucid Server or Desktop on your computer. Both Server and Desktop editions are capable of doing this job equally well.
2. Change your network interfaces from DHCP to Static.
sudo nano /etc/network/interfaces
Tip: You can also use gedit instead of nano if you are using Ubuntu Desktop.
Delete all the text and paste this text in your interfaces file:
auto eth0
iface eth0 inet static
address 192.168.1.100
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
post-up iptables-restore < /etc/iptables.up.rules
auto eth1
iface eth1 inet static
address 192.168.2.1
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
Where 192.168.1.100 is the IP address of your WAN interface and 192.168.2.1 is the IP address of your LAN interface.
3. Install squid3:
sudo apt-get install squid3
4. Make a backup of your squid.conf for future reference. Squid.conf has nearly all the options listed and it is recommended to go through that file to know more about squid options.
sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.original
5. Configure squid3.
sudo nano /etc/squid3/squid.conf
Remove all the text and paste this text in your squid.conf file for a minimal configuration:
http_port 3128 transparent
acl LAN src 192.168.2.0/24
acl localnet src 127.0.0.1/255.255.255.255
http_access allow LAN
http_access allow localnet
cache_dir ufs /var/spool/squid3 20000 16 256
Where 192.168.2.0/24 is the range of your LAN interface.
The last line in that file is defining a cache directory for squid3 to use. Here, the first number denotes the size of cache in MB, 20 GB in this case.
Save and close this file.
6. Restart squid3:
sudo /etc/init.d/squid3 restart
7. Edit /etc/sysctl.conf:
sudo nano /etc/sysctl.conf
In this file, uncomment the lines that enable packet forwarding for IPv4 and IPv6:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
Save and close this file.
8. Define IPTABLE rules for port forwarding.
sudo nano /etc/iptables.up.rules
Paste this text in the file that opens up:
*nat
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.1:3128
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
COMMIT
Save and close this file.
9. Edit /etc/rc.local:
sudo nano /etc/rc.local
Paste this text at the end of the file that opens up:
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 –o eth0 -j MASQUERADE
Save and close this file.
10. Reboot your server.
If you don't want to go to each machine on your Network and configure it for a Static IP, you can use dhcp3-server to assign Dynamic IPs to all the computers on your LAN and make them forward all there internet traffic to your squid box.
11. Install dhcp3-server:
sudo apt-get install dhcp3-server
12. Edit /etc/default/dhcp3-server:
sudo nano /etc/default/dhcp3-server
Type eth1 in between the quotes in this line:
INTERFACES=""
Save and close this file.
13. Make a backup of your original /etc/dhcp3/dhcpd.conf:
sudo cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.original
14. Edit /etc/dhcp3/dhcpd.conf:
sudo nano /etc/dhcp3/dhcpd.conf
Delete all the text and paste this text in the file that opens up:
authoritative;
default-lease-time 3600;
max-lease-time 3600;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.2.255;
option routers 192.168.2.1;
option domain-name-servers 8.8.8.8, 8.8.8.4;
option domain-name "my.domain.name";
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.3 192.168.2.253;
}
We are using Google DNS in this example. You can use your own DNS Server if you've configured one on your network.
Save and close this file.
Make sure all the cables on your network are plugged in and the devices are powered on.
15. Start dhcp3-server:
sudo service dhcp3-server start
16. Reboot your server and everything should be working as it should after that.
If you want to bind IP addresses permanently to the same machines, see here:
http://www.tuxgarage.com/2011/01/how-to-bind-ip-address-to-mac-address.html
Enjoy!
=========================================================================================
Published:
21 April 2014
This document describes the steps to setup a Squid proxy server on Ubuntu 14.04
LAN:192.168.0.0/24 Proxy Server:192.168.0.3(hostname:srv.example.com)
$sudo apt-get install squid3
$sudo mkdir -p /var/cache/squid $sudo chown proxy:proxy /var/cache/squid
Before editing squid configuration, Make a backup of your /etc/squid3/squid.conf file for future reference. Squid.conf has nearly all the options listed and it is recommended to go through that file to know more about squid options.
$sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.origin $sudo vim /etc/squid3/squid.conf
Squid3 configuration:
#Set localnet acl localnet src 192.168.0.0/16 #Add related http_access before localhost http_access allow localnet http_access allow localhost #Setup cache cache_dir ufs /var/cache/squid 10000 16 256cache_mem 600 MBcache_swap_low 70cache_swap_high 85maximum_object_size 32768 KBipcache_size 1024ipcache_low 90ipcache_high 95fqdncache_size 1024 #Add visible_hostname if you need visible_hostname srv.example.com
$ sudo squid3 -z 2014/04/21 11:06:21| Squid is already running! Process ID 1060
$sudo vim /etc/sysctl.conf
To modify the following params:
# Controls IP packet forwarding net.ipv4.ip_forward = 1# Controls source route verification net.ipv4.conf.default.rp_filter = 1# Do not accept source routing net.ipv4.conf.default.accept_source_route = 0
To apply this configuration
$sudo sysctl -p
$sudo ufw allow 3128
edwin@srv:~$ sudo service squid3 restart squid3 stop/waiting squid3 start/running, process 6576