Re: [squid-users] Transparent Squid Proxy Server

[Nathan Hoad]

I'm using 3.5 with transparent server first bumping in ~100 deployments so
far, it works just fine, excluding with SNI and everything.
On 12/07/2015 10:58 am, "Yuri Voinov"  wrote:

>  Man,
>
> 3.5.x don't work with server-first. It must be for backward compatibility
> - but don't be.
>
> Also, AFAIK, 3.5.x series don't work with transparent NAT interception in
> bump mode. Fake certs are generated, but with IP against hostnames (in all
> my test installations).
>
> So, if you strictly need working bump with transparent interception,
> rollback to 3.4.
>
> WBR, Yuri.
>
> 24.06.15 12:04, Reet Vyas пишет:
>
>  Hi
>   Below is my squid file , I have configured squid 3.5.3 with ssl, but I
> cant filter https traffic and also in access log I cant see https in access
> logs.
>
>
> #
> # Recommended minimum configuration:
> #
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 116.72.152.37 192.168.0.0/24 # Sesuaikan dengan ip
> client/local
>
> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443  # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210  # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280  # http-mgmt
> acl Safe_ports port 488  # gss-http
> acl Safe_ports port 591  # filemaker
> acl Safe_ports port 777  # multiling http
> # storeid *test*
> acl urlrewrite dstdomain .fbcdn.net .akamaihd.net
> acl speedtest url_regex -i speedtest\/.*\.(jpg|txt)\?.*
> acl reverbnation url_regex -i reverbnation.*audio_player.*ec_stream_song.*$
> acl utmgif url_regex -i utm.gif.*
> acl playstoreandroid url_regex -i
> c.android.clients.google.com.market.GetBinary.GetBinary.*
> acl idyoutube url_regex -i
> youtube.*(ptracking|stream_204|player_204).*(v\=|docid\=|video_id\=).*$
> acl videoyoutube url_regex -i (youtube|googlevideo).*videoplayback\?
> acl videoyoutube url_regex -i (youtube|googlevideo).*videoplayback\?
> acl CONNECT method CONNECT
> acl getmethod method GET
> acl loop_302 http_status 302
> acl step1 at_step SslBump1
> acl youtube dstdomain .youtube.com
> acl blocksites dstdomain "/etc/squid/restricted-sites.squid"
> # TAG: QUERY
> #
> -
> acl QUERY urlpath_regex -i
> (hackshield|blank.html|infinity.js|hshield.da|renew_session_token.php|recaptcha.js|dat.asp|notice.swf|patchlist.txt|hackshield|captcha|reset.css|update.ver|notice.html|updates.txt|gamenotice|images.kom|patchinfo.xml|noupdate.ui|\.Xtp|\.htc|\.txt)
> acl QUERY urlpath_regex -i
> (patch.conf|uiimageset.xml.iop|gashaponwnd.xml.iop|loading.swf|download.swf|version.list|version.ini|launch.jnlp|server_patch.cfg.iop|core.swf|Loading.swf|resouececheck.sq|mainloading.swf|config.xml|gemmaze.swf|xml.png|size.xml|resourcesbar.swf|version.xml|version.list|delete.ini)
> acl QUERY urlpath_regex -i \.(jsp|asp|aspx|cfg|iop|zip|php|xml|html)(\?|$)
> cache deny QUERY
> cache deny youtube
>
> #
> acl dontstore url_regex ^http:\/\/((
> [\d\w-]*(\.[^\.\-]*?\..*?))(\/\mosalsal\/[\d]{4}\/.*\/)(.*\.flv))\?start.*
> acl dontstore url_regex redbot\.org \.php
> acl dontstore url_regex -i ^http:\/\/.*gemscool\.com\/.*
> acl dontstore url_regex \.(aspx|php)\?
> acl dontstore url_regex goldprice\.org\/NewCharts\/gold\/images\/.*\.png
> acl dontstore url_regex google\.co(m|\.[a-z]{2})\/complete\/search\?
> acl dontstore url_regex
> redirector\.([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com)\/(get_video\?|videodownload\?|videoplayback.*id|get_video_info\?|ptracking\?|player_204\?|stream_204\?).*
>
> acl store_yt_id url_regex -i
> youtube.*(ptracking|stream_204|playback|player_204|watchtime|set_awesome|s\?|ads).*(video_id|docid|\&v|content_v)\=([^\&\s]*).*$
> acl store_id_list_yt url_regex -i (youtube|googlevideo).*videoplayback.*$
> acl store_id_list_yt url_regex
> ^https?\:\/\/([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com)\/(get_video\?|videodownload\?|videoplayback.*id).*
>
> acl store-id_list urlpath_regex -i dl\.sourceforge\.net
> acl store-id_list urlpath_regex -i \.ytimg\.com
> acl store-id_list urlpath_regex -i \.(akamaihd|fbcdn)\.net
> acl store_id_list urlpath_regex -i
> [a-zA-Z]{2}[0-9]*\.4shared\.com\/download\/
>
> acl store_id_list_url url_regex ^http:\/\/
> [0-9]\.bp\.blogspot\.com.*\.(jpeg|jpg|png|gif|ico)
> acl store_id_list_url url_regex
> ^http[s]?:\/\/.*\.twimg\.com\/(.*)\.(gif|jpeg|jpg|png|js|css)
> acl store_id_list_url url_regex
> ^http[s]?:\/\/(media|static)\.licdn\.com\/.*\.(png|jpg|gif|woff)
> acl store_id_list_url url_regex ^https:\/\/fb(static|cdn)\-.*\-
> a.akamaihd.net\/(.*)\.(gif|jpeg|jpg|png|js|css|mp4)
> acl store_id_list_url url_regex ^http:\/\/.*\.ak\.fbcdn\.net\/.*\.(gif
> |jpg|png|js|mp4)
>
> # pass requests
> url_rewrite_program /etc/squid/phpredir.php
> url_rewrite_access allow youtube
>
> requ

Re: [squid-users] Transparent Squid Proxy Server

[Yuri Voinov]

Man,

3.5.x don't work with server-first. It must be for backward 
compatibility - but don't be.


Also, AFAIK, 3.5.x series don't work with transparent NAT interception 
in bump mode. Fake certs are generated, but with IP against hostnames 
(in all my test installations).


So, if you strictly need working bump with transparent interception, 
rollback to 3.4.


WBR, Yuri.

24.06.15 12:04, Reet Vyas пишет:

Hi
 Below is my squid file , I have configured squid 3.5.3 with ssl, but 
I cant filter https traffic and also in access log I cant see https in 
access logs.



#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 116.72.152.37 192.168.0.0/24  
# Sesuaikan dengan ip client/local


acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443  # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 488  # gss-http
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
# storeid *test*
acl urlrewrite dstdomain .fbcdn.net  .akamaihd.net 


acl speedtest url_regex -i speedtest\/.*\.(jpg|txt)\?.*
acl reverbnation url_regex -i 
reverbnation.*audio_player.*ec_stream_song.*$

acl utmgif url_regex -i utm.gif.*
acl playstoreandroid url_regex -i 
c.android.clients.google.com.market.GetBinary.GetBinary.*
acl idyoutube url_regex -i 
youtube.*(ptracking|stream_204|player_204).*(v\=|docid\=|video_id\=).*$

acl videoyoutube url_regex -i (youtube|googlevideo).*videoplayback\?
acl videoyoutube url_regex -i (youtube|googlevideo).*videoplayback\?
acl CONNECT method CONNECT
acl getmethod method GET
acl loop_302 http_status 302
acl step1 at_step SslBump1
acl youtube dstdomain .youtube.com 
acl blocksites dstdomain "/etc/squid/restricted-sites.squid"
# TAG: QUERY
# 
-
acl QUERY urlpath_regex -i 
(hackshield|blank.html|infinity.js|hshield.da|renew_session_token.php|recaptcha.js|dat.asp|notice.swf|patchlist.txt|hackshield|captcha|reset.css|update.ver|notice.html|updates.txt|gamenotice|images.kom|patchinfo.xml|noupdate.ui|\.Xtp|\.htc|\.txt)
acl QUERY urlpath_regex -i 
(patch.conf|uiimageset.xml.iop|gashaponwnd.xml.iop|loading.swf|download.swf|version.list|version.ini|launch.jnlp|server_patch.cfg.iop|core.swf|Loading.swf|resouececheck.sq|mainloading.swf|config.xml|gemmaze.swf|xml.png|size.xml|resourcesbar.swf|version.xml|version.list|delete.ini)

acl QUERY urlpath_regex -i \.(jsp|asp|aspx|cfg|iop|zip|php|xml|html)(\?|$)
cache deny QUERY
cache deny youtube

#
acl dontstore url_regex 
^http:\/\/(([\d\w-]*(\.[^\.\-]*?\..*?))(\/\mosalsal\/[\d]{4}\/.*\/)(.*\.flv))\?start.*

acl dontstore url_regex redbot\.org \.php
acl dontstore url_regex -i ^http:\/\/.*gemscool\.com\/.*
acl dontstore url_regex \.(aspx|php)\?
acl dontstore url_regex goldprice\.org\/NewCharts\/gold\/images\/.*\.png
acl dontstore url_regex google\.co(m|\.[a-z]{2})\/complete\/search\?
acl dontstore url_regex 
redirector\.([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com)\/(get_video\?|videodownload\?|videoplayback.*id|get_video_info\?|ptracking\?|player_204\?|stream_204\?).*


acl store_yt_id url_regex -i 
youtube.*(ptracking|stream_204|playback|player_204|watchtime|set_awesome|s\?|ads).*(video_id|docid|\&v|content_v)\=([^\&\s]*).*$

acl store_id_list_yt url_regex -i (youtube|googlevideo).*videoplayback.*$
acl store_id_list_yt url_regex 
^https?\:\/\/([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com)\/(get_video\?|videodownload\?|videoplayback.*id).*


acl store-id_list urlpath_regex -i dl\.sourceforge\.net
acl store-id_list urlpath_regex -i \.ytimg\.com
acl store-id_list urlpath_regex -i \.(akamaihd|fbcdn)\.net
acl store_id_list urlpath_regex -i 
[a-zA-Z]{2}[0-9]*\.4shared\.com\/download\/


acl store_id_list_url url_regex 
^http:\/\/[0-9]\.bp\.blogspot\.com.*\.(jpeg|jpg|png|gif|ico)
acl store_id_list_url url_regex 
^http[s]?:\/\/.*\.twimg\.com\/(.*)\.(gif|jpeg|jpg|png|js|css)
acl store_id_list_url url_regex 
^http[s]?:\/\/(media|static)\.licdn\.com\/.*\.(png|jpg|gif|woff)
acl store_id_list_url url_regex 
^https:\/\/fb(static|cdn)\-.*\-a.akamaihd.net 
\/(.*)\.(gif|jpeg|jpg|png|js|css|mp4)
acl store_id_list_url url_regex 
^http:\/\/.*\.ak\.fbcdn\.net\/.*\.(gif|jpg|png|js|mp4)


# pass requests
url_rewrite_program /etc/squid/phpredir.php
url_rewrite_access allow youtube

request_header_access Range deny store_id_list_yt
range_offset_limit 10 KB store_id_list_yt


###
# Recommended minimum Access Permission configuration:
#
# Deny requests

Re: [squid-users] Transparent Squid Proxy Server

[Reet Vyas]

Hi
 Below is my squid file , I have configured squid 3.5.3 with ssl, but I
cant filter https traffic and also in access log I cant see https in access
logs.


#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 116.72.152.37 192.168.0.0/24 # Sesuaikan dengan ip
client/local

acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443  # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210  # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280  # http-mgmt
acl Safe_ports port 488  # gss-http
acl Safe_ports port 591  # filemaker
acl Safe_ports port 777  # multiling http
# storeid *test*
acl urlrewrite dstdomain .fbcdn.net .akamaihd.net
acl speedtest url_regex -i speedtest\/.*\.(jpg|txt)\?.*
acl reverbnation url_regex -i reverbnation.*audio_player.*ec_stream_song.*$
acl utmgif url_regex -i utm.gif.*
acl playstoreandroid url_regex -i
c.android.clients.google.com.market.GetBinary.GetBinary.*
acl idyoutube url_regex -i
youtube.*(ptracking|stream_204|player_204).*(v\=|docid\=|video_id\=).*$
acl videoyoutube url_regex -i (youtube|googlevideo).*videoplayback\?
acl videoyoutube url_regex -i (youtube|googlevideo).*videoplayback\?
acl CONNECT method CONNECT
acl getmethod method GET
acl loop_302 http_status 302
acl step1 at_step SslBump1
acl youtube dstdomain .youtube.com
acl blocksites dstdomain "/etc/squid/restricted-sites.squid"
# TAG: QUERY
#
-
acl QUERY urlpath_regex -i
(hackshield|blank.html|infinity.js|hshield.da|renew_session_token.php|recaptcha.js|dat.asp|notice.swf|patchlist.txt|hackshield|captcha|reset.css|update.ver|notice.html|updates.txt|gamenotice|images.kom|patchinfo.xml|noupdate.ui|\.Xtp|\.htc|\.txt)
acl QUERY urlpath_regex -i
(patch.conf|uiimageset.xml.iop|gashaponwnd.xml.iop|loading.swf|download.swf|version.list|version.ini|launch.jnlp|server_patch.cfg.iop|core.swf|Loading.swf|resouececheck.sq|mainloading.swf|config.xml|gemmaze.swf|xml.png|size.xml|resourcesbar.swf|version.xml|version.list|delete.ini)
acl QUERY urlpath_regex -i \.(jsp|asp|aspx|cfg|iop|zip|php|xml|html)(\?|$)
cache deny QUERY
cache deny youtube

#
acl dontstore url_regex
^http:\/\/(([\d\w-]*(\.[^\.\-]*?\..*?))(\/\mosalsal\/[\d]{4}\/.*\/)(.*\.flv))\?start.*
acl dontstore url_regex redbot\.org \.php
acl dontstore url_regex -i ^http:\/\/.*gemscool\.com\/.*
acl dontstore url_regex \.(aspx|php)\?
acl dontstore url_regex goldprice\.org\/NewCharts\/gold\/images\/.*\.png
acl dontstore url_regex google\.co(m|\.[a-z]{2})\/complete\/search\?
acl dontstore url_regex
redirector\.([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com)\/(get_video\?|videodownload\?|videoplayback.*id|get_video_info\?|ptracking\?|player_204\?|stream_204\?).*

acl store_yt_id url_regex -i
youtube.*(ptracking|stream_204|playback|player_204|watchtime|set_awesome|s\?|ads).*(video_id|docid|\&v|content_v)\=([^\&\s]*).*$
acl store_id_list_yt url_regex -i (youtube|googlevideo).*videoplayback.*$
acl store_id_list_yt url_regex
^https?\:\/\/([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com)\/(get_video\?|videodownload\?|videoplayback.*id).*

acl store-id_list urlpath_regex -i dl\.sourceforge\.net
acl store-id_list urlpath_regex -i \.ytimg\.com
acl store-id_list urlpath_regex -i \.(akamaihd|fbcdn)\.net
acl store_id_list urlpath_regex -i
[a-zA-Z]{2}[0-9]*\.4shared\.com\/download\/

acl store_id_list_url url_regex
^http:\/\/[0-9]\.bp\.blogspot\.com.*\.(jpeg|jpg|png|gif|ico)
acl store_id_list_url url_regex
^http[s]?:\/\/.*\.twimg\.com\/(.*)\.(gif|jpeg|jpg|png|js|css)
acl store_id_list_url url_regex
^http[s]?:\/\/(media|static)\.licdn\.com\/.*\.(png|jpg|gif|woff)
acl store_id_list_url url_regex ^https:\/\/fb(static|cdn)\-.*\-
a.akamaihd.net\/(.*)\.(gif|jpeg|jpg|png|js|css|mp4)
acl store_id_list_url url_regex
^http:\/\/.*\.ak\.fbcdn\.net\/.*\.(gif|jpg|png|js|mp4)

# pass requests
url_rewrite_program /etc/squid/phpredir.php
url_rewrite_access allow youtube

request_header_access Range deny store_id_list_yt
range_offset_limit 10 KB store_id_list_yt


###
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
###
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny blocksites
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

###
# squid ssl_bump option
###
always_direct allow all
ssl_bump s

Re: [squid-users] Transparent Squid Proxy Server

[Reet Vyas]

Hi

Thanks for reply. I am trying to cache youtube using this wiki
http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube but I
cant cache youtube.

I want to cache facebook and youtube. SSl certificate installation that I
have to do . Please suggest some links.

On Thu, Jun 4, 2015 at 6:48 PM, Amos Jeffries  wrote:

> On 5/06/2015 12:55 a.m., Reet Vyas wrote:
> > Thank you everyone for helping me to setup squid , Now its working but in
> > access.logs  I only see tcp_miss if m using same website. I mean squid is
> > not caching
>
> You will get MISS a fair bit more with intercepted traffic than with
> normal proxied traffic. Particularly on certain major CDN who play
> tricks with DNS.
>
> The reasons and some workarounds to need to be doing are explained in
> 
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Squid Proxy Server

[Amos Jeffries]

On 5/06/2015 12:55 a.m., Reet Vyas wrote:
> Thank you everyone for helping me to setup squid , Now its working but in
> access.logs  I only see tcp_miss if m using same website. I mean squid is
> not caching

You will get MISS a fair bit more with intercepted traffic than with
normal proxied traffic. Particularly on certain major CDN who play
tricks with DNS.

The reasons and some workarounds to need to be doing are explained in


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Squid Proxy Server

[Reet Vyas]

Thank you everyone for helping me to setup squid , Now its working but in
access.logs  I only see tcp_miss if m using same website. I mean squid is
not caching

Logs

43 192.168.0.198 TCP_MISS/200 384461 GET
http://www.horlicksquad.com/images/tc-pic.png - HIER_DIRECT/52.74.133.61
image/png
1433422076.988309 192.168.0.198 TCP_MISS/200 38007 GET
http://www.horlicksquad.com/about-us - HIER_DIRECT/52.74.133.61 text/html
1433422077.188224 192.168.0.198 TCP_MISS/200 17622 GET
http://www.horlicksquad.com/images/panel05.png - HIER_DIRECT/52.74.133.61
image/png
1433422077.226140 192.168.0.198 TCP_MISS/200 13840 GET
http://www.horlicksquad.com/images/au-bg.png - HIER_DIRECT/52.74.133.61
image/png
1433422077.261208 192.168.0.198 TCP_MISS/200 60858 GET
http://www.horlicksquad.com/images/sonny-horlicks-abtus.png - HIER_DIRECT/
52.74.133.61 image/png

How to check cache is working or not. I want to cache videos images css

On Thu, Jun 4, 2015 at 3:37 PM, Amos Jeffries  wrote:

> On 4/06/2015 6:43 p.m., Reet Vyas wrote:
> > Hi,
> >
> > I changed the iptables still no luck :( but I am using squid 3.3 only
> can I
> > didn't understand why you have configured 3129 ,3130 and 3128 port?
>
> Because due to historic (browser war politics) reasons there are three
> different protocol message syntax in HTTP/1.x - depending whether the
> traffic is on port 80 (HTTP origin), 443 (HTTPS origin), or 3128 (HTTP
> proxy).
>
>
> * Normal forward/explicit proxy traffic occurs on port 3128. Squid needs
> this port regardless of whether your main traffic use is on another port
> type, because some proxy responses will have URLs generated for embeded
> content to be fetched from the proxy itself.
>
> * NAT intercepted port 80 traffic needs to be delivered to a different
> proxy http_port with the "intercept" flag. The tutorials use 3129 to
> make it clear its not to be 3128, but it SHOULD be something random you
> make up that you can also have the firewall blocking connections
> directly to it by clients.
>
> * NAT intercepted port 443 traffic needs https_port directive (note the
> 's') which means another port number separate from the port 80 one.
>
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Squid Proxy Server

[Amos Jeffries]

On 4/06/2015 6:43 p.m., Reet Vyas wrote:
> Hi,
> 
> I changed the iptables still no luck :( but I am using squid 3.3 only can I
> didn't understand why you have configured 3129 ,3130 and 3128 port?

Because due to historic (browser war politics) reasons there are three
different protocol message syntax in HTTP/1.x - depending whether the
traffic is on port 80 (HTTP origin), 443 (HTTPS origin), or 3128 (HTTP
proxy).


* Normal forward/explicit proxy traffic occurs on port 3128. Squid needs
this port regardless of whether your main traffic use is on another port
type, because some proxy responses will have URLs generated for embeded
content to be fetched from the proxy itself.

* NAT intercepted port 80 traffic needs to be delivered to a different
proxy http_port with the "intercept" flag. The tutorials use 3129 to
make it clear its not to be 3128, but it SHOULD be something random you
make up that you can also have the firewall blocking connections
directly to it by clients.

* NAT intercepted port 443 traffic needs https_port directive (note the
's') which means another port number separate from the port 80 one.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Squid Proxy Server

[Reet Vyas]

Hi

I got it half working My chat is working I can search google, but I cant
browse websites ,

My configuration now

acl mynet src 116.72.152.37 192.168.0.0/16# RFC1918 possible internal
network
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow mynet
http_access allow localhost
http_access allow all
http_port 3129
http_port 3128 intercept

cache_dir ufs /usr/local/cache 1 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600   90% 43200
refresh_pattern .020%4320



Iptables:

root@squid:/home/squid# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 77928 packets, 4272K bytes)
 pkts bytes target prot opt in out source
destination
  290 17312 DNAT   tcp  --  eth1   *   0.0.0.0/0
0.0.0.0/0tcp dpt:80 to:192.168.0.200:3128
0 0 REDIRECT   tcp  --  eth0   *   0.0.0.0/0
0.0.0.0/0tcp dpt:80 redir ports 3128

Chain INPUT (policy ACCEPT 75943 packets, 4074K bytes)
 pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source
destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source
destination
  847 56477 MASQUERADE  all  --  *  eth0192.168.0.0/24
0.0.0.0/0

On Thu, Jun 4, 2015 at 12:13 PM, Reet Vyas  wrote:

> Hi,
>
> I changed the iptables still no luck :( but I am using squid 3.3 only can
> I didn't understand why you have configured 3129 ,3130 and 3128 port?
>
> On Wed, Jun 3, 2015 at 1:04 PM, Klavs Klavsen  wrote:
>
>> Your client needs to use your squid server as default gateway.
>>
>> And then you need the iptables rules I wrote about to direct traffic into
>> squid for certain ports.
>>
>> Reet Vyas wrote on 06/03/2015 08:50 AM:
>>
>>> Hi
>>>
>>> Thanks for reply. As of now we don't have router I have directly
>>> connected my machine to internet and other to LAN and I have configured
>>> client machine ubuntu to test squid which is in switch where other users
>>> are connected using gateway of router 192.168.0.1.
>>>
>>> I read your valuable suggestions, but I still confused with IPtables and
>>> squid 3.3 setting ,transparent and intercept options .
>>>
>>> root@squid:/home/squid#   ip addr show
>>> 1: lo:  mtu 65536 qdisc noqueue state UNKNOWN
>>> group default
>>>  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>>  inet 127.0.0.1/8  scope host lo
>>> valid_lft forever preferred_lft forever
>>>  inet6 ::1/128 scope host
>>> valid_lft forever preferred_lft forever
>>> 2: eth0:  mtu 1500 qdisc pfifo_fast
>>> state UP group default qlen 1000
>>>  link/ether 00:1e:67:cf:59:74 brd ff:ff:ff:ff:ff:ff
>>>  inet 116.72.*.*/22 brd 116.72.155.255 scope global eth0
>>> valid_lft forever preferred_lft forever
>>>  inet6 fe80::21e:67ff:fecf:5974/64 scope link
>>> valid_lft forever preferred_lft forever
>>> 3: eth1:  mtu 1500 qdisc pfifo_fast
>>> state UP group default qlen 1000
>>>  link/ether 00:1e:67:cf:59:75 brd ff:ff:ff:ff:ff:ff
>>>  inet 192.168.0.200/24  brd 192.168.0.255
>>> scope global eth1
>>> valid_lft forever preferred_lft forever
>>>  inet6 fe80::21e:67ff:fecf:5975/64 scope link
>>> valid_lft forever preferred_lft forever
>>>
>>> root@squid:/home/squid#  ip -4 route show
>>> default via 116.72.152.1 dev eth0
>>> 116.72.152.0/22  dev eth0  proto kernel  scope
>>> link  src 116.72.152.37
>>> 192.168.0.0/24  dev eth1  proto kernel  scope
>>> link  src 192.168.0.200
>>>
>>>
>>>
>>>
>>>
>>> To use transparent/intercept what I have to set in my config file
>>> http_port 3128 intercept or transparent
>>>
>>> and Iptables rules , I have tried this rules
>>>
>>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
>>>
>>> But not working
>>>
>>> Can you please tell me the firewall rules and let me know why my
>>> firewall rules are not working.
>>>
>>> On Tue, Jun 2, 2015 at 8:14 PM, Klavs Klavsen >> > wrote:
>>>
>>> Amos Jeffries wrote on 06/02/2015 04:34 PM:
>>>

Re: [squid-users] Transparent Squid Proxy Server

[Reet Vyas]

Hi,

I changed the iptables still no luck :( but I am using squid 3.3 only can I
didn't understand why you have configured 3129 ,3130 and 3128 port?

On Wed, Jun 3, 2015 at 1:04 PM, Klavs Klavsen  wrote:

> Your client needs to use your squid server as default gateway.
>
> And then you need the iptables rules I wrote about to direct traffic into
> squid for certain ports.
>
> Reet Vyas wrote on 06/03/2015 08:50 AM:
>
>> Hi
>>
>> Thanks for reply. As of now we don't have router I have directly
>> connected my machine to internet and other to LAN and I have configured
>> client machine ubuntu to test squid which is in switch where other users
>> are connected using gateway of router 192.168.0.1.
>>
>> I read your valuable suggestions, but I still confused with IPtables and
>> squid 3.3 setting ,transparent and intercept options .
>>
>> root@squid:/home/squid#   ip addr show
>> 1: lo:  mtu 65536 qdisc noqueue state UNKNOWN
>> group default
>>  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>  inet 127.0.0.1/8  scope host lo
>> valid_lft forever preferred_lft forever
>>  inet6 ::1/128 scope host
>> valid_lft forever preferred_lft forever
>> 2: eth0:  mtu 1500 qdisc pfifo_fast
>> state UP group default qlen 1000
>>  link/ether 00:1e:67:cf:59:74 brd ff:ff:ff:ff:ff:ff
>>  inet 116.72.*.*/22 brd 116.72.155.255 scope global eth0
>> valid_lft forever preferred_lft forever
>>  inet6 fe80::21e:67ff:fecf:5974/64 scope link
>> valid_lft forever preferred_lft forever
>> 3: eth1:  mtu 1500 qdisc pfifo_fast
>> state UP group default qlen 1000
>>  link/ether 00:1e:67:cf:59:75 brd ff:ff:ff:ff:ff:ff
>>  inet 192.168.0.200/24  brd 192.168.0.255
>> scope global eth1
>> valid_lft forever preferred_lft forever
>>  inet6 fe80::21e:67ff:fecf:5975/64 scope link
>> valid_lft forever preferred_lft forever
>>
>> root@squid:/home/squid#  ip -4 route show
>> default via 116.72.152.1 dev eth0
>> 116.72.152.0/22  dev eth0  proto kernel  scope
>> link  src 116.72.152.37
>> 192.168.0.0/24  dev eth1  proto kernel  scope
>> link  src 192.168.0.200
>>
>>
>>
>>
>>
>> To use transparent/intercept what I have to set in my config file
>> http_port 3128 intercept or transparent
>>
>> and Iptables rules , I have tried this rules
>>
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
>>
>> But not working
>>
>> Can you please tell me the firewall rules and let me know why my
>> firewall rules are not working.
>>
>> On Tue, Jun 2, 2015 at 8:14 PM, Klavs Klavsen > > wrote:
>>
>> Amos Jeffries wrote on 06/02/2015 04:34 PM:
>>
>> On 3/06/2015 1:20 a.m., Klavs Klavsen wrote:
>>
>> I have this in my squid server for it to work:
>>
>>
>> The key words there are ... *in my Squid server*
>>
>> indeed :)
>>
>>
>> NOTE to Klavs:
>> loading the "multiport" kernel module seems overkill for a
>> single-port
>> match.
>>
>> it's puppets firewall module.. haven't had enough time to fix that
>> module :)
>>
>>
>> FYI: DONT_VERIFY_PEER, "always_direct allow all", and
>> "slproxy_cert_error allow all" have not been good ideas since 3.2.
>> dont-verify actually inhibits the Mimic functions which give
>> server-first bumping most of its usefulness.
>>
>> Thank you for those tips.
>>
>> --
>> Regards,
>> Klavs Klavsen, GSEC - k...@vsen.dk  -
>> http://www.vsen.dk - Tlf. 61281200
>>
>> "Those who do not understand Unix are condemned to reinvent it,
>> poorly."
>>--Henry Spencer
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> 
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>
> --
> Regards,
> Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200
>
> "Those who do not understand Unix are condemned to reinvent it, poorly."
>   --Henry Spencer
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Squid Proxy Server

[Klavs Klavsen]

Your client needs to use your squid server as default gateway.

And then you need the iptables rules I wrote about to direct traffic 
into squid for certain ports.


Reet Vyas wrote on 06/03/2015 08:50 AM:

Hi

Thanks for reply. As of now we don't have router I have directly
connected my machine to internet and other to LAN and I have configured
client machine ubuntu to test squid which is in switch where other users
are connected using gateway of router 192.168.0.1.

I read your valuable suggestions, but I still confused with IPtables and
squid 3.3 setting ,transparent and intercept options .

root@squid:/home/squid#   ip addr show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN
group default
 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 inet 127.0.0.1/8  scope host lo
valid_lft forever preferred_lft forever
 inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
 link/ether 00:1e:67:cf:59:74 brd ff:ff:ff:ff:ff:ff
 inet 116.72.*.*/22 brd 116.72.155.255 scope global eth0
valid_lft forever preferred_lft forever
 inet6 fe80::21e:67ff:fecf:5974/64 scope link
valid_lft forever preferred_lft forever
3: eth1:  mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
 link/ether 00:1e:67:cf:59:75 brd ff:ff:ff:ff:ff:ff
 inet 192.168.0.200/24  brd 192.168.0.255
scope global eth1
valid_lft forever preferred_lft forever
 inet6 fe80::21e:67ff:fecf:5975/64 scope link
valid_lft forever preferred_lft forever

root@squid:/home/squid#  ip -4 route show
default via 116.72.152.1 dev eth0
116.72.152.0/22  dev eth0  proto kernel  scope
link  src 116.72.152.37
192.168.0.0/24  dev eth1  proto kernel  scope
link  src 192.168.0.200





To use transparent/intercept what I have to set in my config file
http_port 3128 intercept or transparent

and Iptables rules , I have tried this rules

http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

But not working

Can you please tell me the firewall rules and let me know why my
firewall rules are not working.

On Tue, Jun 2, 2015 at 8:14 PM, Klavs Klavsen mailto:k...@vsen.dk>> wrote:

Amos Jeffries wrote on 06/02/2015 04:34 PM:

On 3/06/2015 1:20 a.m., Klavs Klavsen wrote:

I have this in my squid server for it to work:


The key words there are ... *in my Squid server*

indeed :)


NOTE to Klavs:
loading the "multiport" kernel module seems overkill for a
single-port
match.

it's puppets firewall module.. haven't had enough time to fix that
module :)


FYI: DONT_VERIFY_PEER, "always_direct allow all", and
"slproxy_cert_error allow all" have not been good ideas since 3.2.
dont-verify actually inhibits the Mimic functions which give
server-first bumping most of its usefulness.

Thank you for those tips.

--
Regards,
Klavs Klavsen, GSEC - k...@vsen.dk  -
http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
   --Henry Spencer

___
squid-users mailing list
squid-users@lists.squid-cache.org

http://lists.squid-cache.org/listinfo/squid-users




___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users




--
Regards,
Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
  --Henry Spencer

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Squid Proxy Server

[Reet Vyas]

Hi

Thanks for reply. As of now we don't have router I have directly connected
my machine to internet and other to LAN and I have configured client
machine ubuntu to test squid which is in switch where other users are
connected using gateway of router 192.168.0.1.

I read your valuable suggestions, but I still confused with IPtables and
squid 3.3 setting ,transparent and intercept options .

root@squid:/home/squid#   ip addr show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group
default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether 00:1e:67:cf:59:74 brd ff:ff:ff:ff:ff:ff
inet 116.72.*.*/22 brd 116.72.155.255 scope global eth0
   valid_lft forever preferred_lft forever
inet6 fe80::21e:67ff:fecf:5974/64 scope link
   valid_lft forever preferred_lft forever
3: eth1:  mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether 00:1e:67:cf:59:75 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.200/24 brd 192.168.0.255 scope global eth1
   valid_lft forever preferred_lft forever
inet6 fe80::21e:67ff:fecf:5975/64 scope link
   valid_lft forever preferred_lft forever

root@squid:/home/squid#  ip -4 route show
default via 116.72.152.1 dev eth0
116.72.152.0/22 dev eth0  proto kernel  scope link  src 116.72.152.37
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.200





To use transparent/intercept what I have to set in my config file http_port
3128 intercept or transparent

and Iptables rules , I have tried this rules

http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

But not working

Can you please tell me the firewall rules and let me know why my firewall
rules are not working.

On Tue, Jun 2, 2015 at 8:14 PM, Klavs Klavsen  wrote:

> Amos Jeffries wrote on 06/02/2015 04:34 PM:
>
>> On 3/06/2015 1:20 a.m., Klavs Klavsen wrote:
>>
>>> I have this in my squid server for it to work:
>>>
>>
>> The key words there are ... *in my Squid server*
>>
>>  indeed :)
>
>
>> NOTE to Klavs:
>>loading the "multiport" kernel module seems overkill for a single-port
>> match.
>>
>>  it's puppets firewall module.. haven't had enough time to fix that
> module :)
>
>
>> FYI: DONT_VERIFY_PEER, "always_direct allow all", and
>> "slproxy_cert_error allow all" have not been good ideas since 3.2.
>> dont-verify actually inhibits the Mimic functions which give
>> server-first bumping most of its usefulness.
>>
>>  Thank you for those tips.
>
> --
> Regards,
> Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200
>
> "Those who do not understand Unix are condemned to reinvent it, poorly."
>   --Henry Spencer
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Squid Proxy Server

[Klavs Klavsen]

Amos Jeffries wrote on 06/02/2015 04:34 PM:

On 3/06/2015 1:20 a.m., Klavs Klavsen wrote:

I have this in my squid server for it to work:


The key words there are ... *in my Squid server*


indeed :)



NOTE to Klavs:
   loading the "multiport" kernel module seems overkill for a single-port
match.


it's puppets firewall module.. haven't had enough time to fix that module :)



FYI: DONT_VERIFY_PEER, "always_direct allow all", and
"slproxy_cert_error allow all" have not been good ideas since 3.2.
dont-verify actually inhibits the Mimic functions which give
server-first bumping most of its usefulness.


Thank you for those tips.

--
Regards,
Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
  --Henry Spencer

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent Squid Proxy Server

[Amos Jeffries]

On 3/06/2015 1:20 a.m., Klavs Klavsen wrote:
> I have this in my squid server for it to work:

The key words there are ... *in my Squid server*

Reet did it on the router. Which was the first mistake.

The router needs routing rules (not NAT) to deliver the clients packets
to Squid machine where the interception happens like below.

The second mistake was http_port configuration. Squid requires two
http_port lines. Port 3128 for regular proxy traffic, and another random
port for interception (our how-tos use 3129).


> *mangle
> :PREROUTING ACCEPT [190:618576]
> :INPUT ACCEPT [190:618576]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [163:41506]
> :POSTROUTING ACCEPT [166:42334]
> -A PREROUTING -d $myip/32 -p tcp -m multiport --dports 3129 -m comment
> --comment "002 drop squid direct traffic http - we only allow captured
> traffic" -j DROP
> -A PREROUTING -d $myip/32 -p tcp -m multiport --dports 3130 -m comment
> --comment "002 drop squid direct traffic https - we only allow captured
> traffic" -j DROP
> COMMIT


NOTE to Klavs:
  loading the "multiport" kernel module seems overkill for a single-port
match.

> # Completed on Wed Apr  1 10:28:22 2015
> # Generated by iptables-save v1.4.21 on Wed Apr  1 10:28:22 2015
> *nat
> :PREROUTING ACCEPT [1:36]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [30:2079]
> :POSTROUTING ACCEPT [30:2079]
> -A PREROUTING -s $myip/32 -p tcp -m multiport --dports 80 -m comment
> --comment "000 allow squid http - so its traffic does not get captured"
> -j ACCEPT
> -A PREROUTING -s $myip/32 -p tcp -m multiport --dports 443 -m comment
> --comment "000 allow squid https - so its traffic does not get captured"
> -j ACCEPT
> -A PREROUTING -p tcp -m multiport --dports 80 -m comment --comment "001
> capture http to squid" -j DNAT --to-destination $myip:3129
> -A PREROUTING -p tcp -m multiport --dports 443 -m comment --comment "001
> capture https to squid" -j DNAT --to-destination $myip:3130
> COMMIT
> # Completed on Wed Apr  1 10:28:22 2015
> # Generated by iptables-save v1.4.21 on Wed Apr  1 10:28:22 2015
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1:184]
> -A INPUT -p tcp -m multiport --ports 3129 -m comment --comment "000
> allow squid http intercept" -j ACCEPT
> -A INPUT -p tcp -m multiport --ports 3130 -m comment --comment "000
> allow squid https intercept" -j ACCEPT
> -A INPUT -p tcp -m multiport --ports 3128 -m comment --comment "000
> allow squid proxy" -j ACCEPT
> 
> and squid conf (mind you - squid 3.4)
> ssl_bump   server-first all
> sslproxy_flags DONT_VERIFY_PEER
> sslcrtd_children   8 startup=1 idle=1
> sslcrtd_program/usr/lib64/squid/ssl_crtd -s
> /etc/ssl/certs/cache/ -M 4MB
> https_port 3130 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> key=/etc/squid/ca.private cert=/etc/squid/ca.cert
> shutdown_lifetime  3
> always_direct  allow all
> sslproxy_cert_errorallow all
> http_port  3129 intercept
> 

FYI: DONT_VERIFY_PEER, "always_direct allow all", and
"slproxy_cert_error allow all" have not been good ideas since 3.2.
dont-verify actually inhibits the Mimic functions which give
server-first bumping most of its usefulness.



> Reet Vyas wrote on 06/02/2015 02:31 PM:
>> I am trying to configure transparent squid proxy on ubuntu 14.04 Server
>> and squid 3.3 version I am using
>>
>> My Lan and Wan settings
>>
>> eth0  Link encap:Ethernet  HWaddr 00:1e:67:cf:59:74
>>inet addr:116.72.*.*  Bcast:116.72.155.255  Mask:255.255.252.0
>>inet6 addr: fe80::21e:67ff:fecf:5974/64 Scope:Link
>>UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>RX packets:238950 errors:0 dropped:0 overruns:0 frame:0
>>TX packets:236104 errors:0 dropped:0 overruns:0 carrier:0
>>collisions:0 txqueuelen:1000
>>RX bytes:22219047 (22.2 MB)  TX bytes:17390502 (17.3 MB)
>>Interrupt:16 Memory:d0a0-d0a2
>>
>> eth1  Link encap:Ethernet  HWaddr 00:1e:67:cf:59:75
>>inet addr:192.168.0.200  Bcast:192.168.0.255 
>> Mask:255.255.255.0
>>inet6 addr: fe80::21e:67ff:fecf:5975/64 Scope:Link
>>UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>RX packets:96965 errors:0 dropped:0 overruns:0 frame:0
>>TX packets:11785 errors:0 dropped:0 overruns:0 carrier:0
>>collisions:0 txqueuelen:1000
>>RX bytes:10764615 (10.7 MB)  TX bytes:7151763 (7.1 MB)
>>Interrupt:17 Memory:d090-d092


Er, thems not settings. Thems traffic statistics.

Not that it matters, but give these a try:
 ip addr show
 ip -4 route show
 ip -6 route show


>>
>> my squid.conf file
>>
>> acl mynet src 116.72.152.37 192.168.0.0/16 #
>> RFC1918 possible internal network
>> acl SSL_ports port 443
>> acl Safe_ports port 80   

Re: [squid-users] Transparent Squid Proxy Server

[Klavs Klavsen]

I have this in my squid server for it to work:
*mangle
:PREROUTING ACCEPT [190:618576]
:INPUT ACCEPT [190:618576]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [163:41506]
:POSTROUTING ACCEPT [166:42334]
-A PREROUTING -d $myip/32 -p tcp -m multiport --dports 3129 -m comment 
--comment "002 drop squid direct traffic http - we only allow captured 
traffic" -j DROP
-A PREROUTING -d $myip/32 -p tcp -m multiport --dports 3130 -m comment 
--comment "002 drop squid direct traffic https - we only allow captured 
traffic" -j DROP

COMMIT
# Completed on Wed Apr  1 10:28:22 2015
# Generated by iptables-save v1.4.21 on Wed Apr  1 10:28:22 2015
*nat
:PREROUTING ACCEPT [1:36]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [30:2079]
:POSTROUTING ACCEPT [30:2079]
-A PREROUTING -s $myip/32 -p tcp -m multiport --dports 80 -m comment 
--comment "000 allow squid http - so its traffic does not get captured" 
-j ACCEPT
-A PREROUTING -s $myip/32 -p tcp -m multiport --dports 443 -m comment 
--comment "000 allow squid https - so its traffic does not get captured" 
-j ACCEPT
-A PREROUTING -p tcp -m multiport --dports 80 -m comment --comment "001 
capture http to squid" -j DNAT --to-destination $myip:3129
-A PREROUTING -p tcp -m multiport --dports 443 -m comment --comment "001 
capture https to squid" -j DNAT --to-destination $myip:3130

COMMIT
# Completed on Wed Apr  1 10:28:22 2015
# Generated by iptables-save v1.4.21 on Wed Apr  1 10:28:22 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:184]
-A INPUT -p tcp -m multiport --ports 3129 -m comment --comment "000 
allow squid http intercept" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 3130 -m comment --comment "000 
allow squid https intercept" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 3128 -m comment --comment "000 
allow squid proxy" -j ACCEPT


and squid conf (mind you - squid 3.4)
ssl_bump   server-first all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_children   8 startup=1 idle=1
sslcrtd_program/usr/lib64/squid/ssl_crtd -s 
/etc/ssl/certs/cache/ -M 4MB
https_port 3130 intercept ssl-bump 
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
key=/etc/squid/ca.private cert=/etc/squid/ca.cert

shutdown_lifetime  3
always_direct  allow all
sslproxy_cert_errorallow all
http_port  3129 intercept

Reet Vyas wrote on 06/02/2015 02:31 PM:

I am trying to configure transparent squid proxy on ubuntu 14.04 Server
and squid 3.3 version I am using

My Lan and Wan settings

eth0  Link encap:Ethernet  HWaddr 00:1e:67:cf:59:74
   inet addr:116.72.*.*  Bcast:116.72.155.255  Mask:255.255.252.0
   inet6 addr: fe80::21e:67ff:fecf:5974/64 Scope:Link
   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
   RX packets:238950 errors:0 dropped:0 overruns:0 frame:0
   TX packets:236104 errors:0 dropped:0 overruns:0 carrier:0
   collisions:0 txqueuelen:1000
   RX bytes:22219047 (22.2 MB)  TX bytes:17390502 (17.3 MB)
   Interrupt:16 Memory:d0a0-d0a2

eth1  Link encap:Ethernet  HWaddr 00:1e:67:cf:59:75
   inet addr:192.168.0.200  Bcast:192.168.0.255  Mask:255.255.255.0
   inet6 addr: fe80::21e:67ff:fecf:5975/64 Scope:Link
   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
   RX packets:96965 errors:0 dropped:0 overruns:0 frame:0
   TX packets:11785 errors:0 dropped:0 overruns:0 carrier:0
   collisions:0 txqueuelen:1000
   RX bytes:10764615 (10.7 MB)  TX bytes:7151763 (7.1 MB)
   Interrupt:17 Memory:d090-d092

my squid.conf file

acl mynet src 116.72.152.37 192.168.0.0/16 #
RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow mynet
http_access allow localhost
http_access allow all
http_port 3128
cache_dir ufs /usr/local/cache 1 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern (Release|Packages(.gz)*)$  0   20% 2880
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600   90% 43200
refresh_pattern .020%4320


but when I use 192.168.0.200 in my client machine as gateway ...
internet is not working and I cant se