On 29/11/2016 10:33 a.m., kevin2345 wrote:
Hello, new to squid here. I'm trying to setup a transparent proxy with squid for my internal hosts to reach outbound destinations. We are hosted in AWS with a VPC setup and multiple subnets. The squid host is in a "public" subnet that has outbound access, while the other subnets are "private" with access to the hosts in the public subnet. The end goal is to have all outbound traffic in the VPC routed to the squid host before going to the internet. By doing this, we'll have a central "choke point" to manage in
Hint: In networking that is called a _gateway_ or router.
terms of access/auditing. We want to accomplish this with iptables rules on the clients (eventually managed with config management) that direct outbound traffic (http/https for example) to the squid host.
So long as you dont use DNAT or REDIRECT. Any form of routing or tunnel, or setting the clients gateway to be the Squid machine should be okay.
I've tried setting up the squid host with Ubuntu 14.04 and squid 3.3.8. I am testing http access with a curl to ifconfig.co (which would return the external IP address),
... but apparently does not.
but I'm running into 403/access denied errors. See below for log excerpts and the config files. "172.18.128.58" is my squid proxy host and "172.18.145.88" is my test client.
Not any old "403 Access Denied" but Forwarding Loop denials.
squid.conf: -------- http_port 3128 intercept http_port 80 acl localnet src 172.18.0.0/16 acl localhost src 127.0.0.1 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT follow_x_forwarded_for allow localhost http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access allow all cache_dir ufs /var/spool/squid3 100 16 256 coredump_dir /var/spool/squid3 visible_hostname squidhost debug_options ALL,1 33,2 28,9 -------- squid logs: -------- ==> /var/log/squid3/cache.log <== 2016/11/28 19:26:45.119| WARNING: Forwarding loop detected for: GET / HTTP/1.1 User-Agent: curl/7.35.0 Accept: */* Via: 1.1 squidhost (squid/3.3.8) X-Forwarded-For: 172.18.145.88 Cache-Control: max-age=259200 Connection: keep-alive Host: ifconfig.co
==> /var/log/squid3/access.log <== 1480361205.120 0 172.18.128.58 TCP_MISS/403 3629 GET http://ifconfig.co/ - HIER_NONE/- text/html 1480361205.120 1 172.18.145.88 TCP_MISS/403 3728 GET http://ifconfig.co/ - HIER_DIRECT/172.18.128.58 text/html ==> /var/log/squid3/cache.log <== ==> /var/log/squid3/access.log <== ==> /var/log/squid3/cache.log <== 2016/11/28 19:26:45.123| client_side.cc(777) swanSong: local=172.18.128.58:3128 remote=172.18.145.88:36030 flags=33 -------- iptables rules on test client: -------- ubuntu@ip-172-18-145-88:~$ sudo iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 7 packets, 448 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 7 packets, 448 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 624 packets, 125K bytes) pkts bytes target prot opt in out source destination 442 26520 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.18.128.58:3128
The DNAT on the client informs Squid that the real IP of the server is 172.18.128.58. Squid will send the request upstream to that IP ...
Please follow the Config Example <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat>, in particular the first NOTE about where the configuration needs to be done. Hint: not on the client.
Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
