[squid-users] New Squid Server 3.5.20 on Centos 7 - Trying to redirect local web access to Port 80 on Linux Servers with iptables to Squid Server with http_port intercept

Rogerio Coelho Wed, 24 May 2017 13:02:55 -0700

Hi Squid Jedi´s,

I am just a little stuck tryng to replace an old Squid 3.1.23 Server on Centos 
6 that i use to redirect local web access to port 80 on linux servers to Squid 
Server.


On my Squid 3.1.23 Server on Centos 6 i use http_port 3128 transparent mode and 
on my Linux servers clients i use iptables to redirect Web traffic as below ( 
this config works ):

Squid Server 3.1.23 :

[root@leli squid]# cat squid.conf | egrep -v "^#|^$"
acl default_ip req_header x-forward -i "/ipt/SQUID/default/ip"
acl default_url dstdom_regex -i "/ipt/SQUID/default/url"
acl default_ip2 srcdom_regex -i "/ipt/SQUID/default/ip"
http_access allow default_ip default_url
acl endereco  req_header x-forward -i "/ipt/SQUID/libera/ip"
http_access allow endereco
acl all_ip req_header x-forward -i "/ipt/SQUID/all/ip"
acl all_url dstdom_regex -i "/ipt/SQUID/all/url"
acl all_ip2 srcdom_regex -i "/ipt/SQUID/all/ip"
http_access allow all_url
acl all src all
acl manager proto cache_object
acl from_localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl GIT_PORT port 9418         # git
acl CONNECT method CONNECT
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 21 # ftp
acl GIT_PORT2 port 9418 # git
http_access allow manager from_localhost
http_access deny manager
http_access allow GIT_PORT2
http_access deny !Safe_ports
http_access allow CONNECT GIT_PORT
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow from_localhost
http_access deny all
http_port 3128 transparent
https_port 3129 transparent intercept cert=/ipt/SQUID/https/squid.crt 
key=/ipt/SQUID/https/squid.key
hierarchy_stoplist cgi-bin ?
emulate_httpd_log on
logformat squid %tg %6tr %>a %{x-forward}>h %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A 
%mt
access_log /var/log/squid/access.log squid
access_log syslog:local0.info  squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
mime_table /etc/squid/mime.conf
pid_filename /var/run/squid.pid
acl QUERY urlpath_regex .*
cache deny QUERY
acl apache rep_header Server ^Apache
acl FS_TESTE srcdom_regex -i "/ipt/SQUID/puppet/ip2"
cache_mgr [email protected]
cache_effective_user squid
cache_effective_group squid
coredump_dir /var/spool/squid
maximum_object_size 0 KB
minimum_object_size 0 KB
no_cache deny all
deny_info 172.20.63.73 webapp_ip

[root@leli ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 46M packets, 3068M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 4581K packets, 276M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4581K packets, 276M bytes)
 pkts bytes target     prot opt in     out     source               destination
[root@leli ~]#

Linux Server Clients ( Centos 5, 6 e 7 ) :

[root@montana rules]# cat proxy2.sh
#!/bin/bash

IPTBIN=$(which iptables)

$IPTBIN -t nat -F
$IPTBIN -t nat -X

#SQUID
$IPTBIN -A OUTPUT -s 10.240.68.68 -p tcp --sport 3128 -j ACCEPT

#PROXY
$IPTBIN -t nat -N PROXYSQUID
$IPTBIN -t nat -A OUTPUT -p tcp --dport 80 -j PROXYSQUID
$IPTBIN -t nat -A OUTPUT -p tcp --dport 443 -j PROXYSQUID
$IPTBIN -t nat -A PROXYSQUID -d 192.168.0.0/16 -j RETURN
$IPTBIN -t nat -A PROXYSQUID -d 189.76.144.0/20 -j RETURN
$IPTBIN -t nat -A PROXYSQUID -d 189.76.156.190 -j RETURN
$IPTBIN -t nat -A PROXYSQUID -d 172.16.0.0/12 -j RETURN
$IPTBIN -t nat -A PROXYSQUID -d 10.0.0.0/8 -j RETURN
$IPTBIN -t nat -A PROXYSQUID -p tcp -j DNAT --to-destination=10.240.68.68:3128


[root@montana rules]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 58M packets, 4835M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 2487K packets, 184M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2487K packets, 184M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0  
         tcp dpt:80
    0     0 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0  
         tcp dpt:443

Chain PROXYSQUID (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            
192.168.0.0/16
    0     0 RETURN     all  --  *      *       0.0.0.0/0            
189.76.144.0/20
    0     0 RETURN     all  --  *      *       0.0.0.0/0            
189.76.156.190
    0     0 RETURN     all  --  *      *       0.0.0.0/0            
172.16.0.0/12
    0     0 RETURN     all  --  *      *       0.0.0.0/0            10.0.0.0/8
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
        to:10.240.68.68:3128
[root@montana rules]# curl -v www.google.com
* About to connect() to www.google.com port 80
*   Trying 216.58.222.68... * connected
* Connected to www.google.com (216.58.222.68) port 80
> GET / HTTP/1.1
User-Agent: curl/7.12.1 (i686-redhat-linux-gnu) libcurl/7.12.1 OpenSSL/0.9.7a 
zlib/1.2.1.2 libidn/0.5.6
Host: www.google.com
Pragma: no-cache
Accept: */*

< HTTP/1.0 302 Moved Temporarily
< Location: http://www.google.com.br/?gws_rd=cr&ei=FtwdWdaDMYm0wQSWwZ24Ag
< Cache-Control: private
< Content-Type: text/html; charset=UTF-8
< P3P: CP="This is not a P3P policy! See 
https://www.google.com/support/accounts/answer/151657?hl=en for more info."
< Date: Thu, 18 May 2017 17:38:30 GMT
< Server: gws
< Content-Length: 262
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: 
NID=103=Vdks002SayhLjRhSWr_ETgZR2-0Hngh7ci-McE8fBhw6vDhAENt6JxWkTKtPKWen7HL-KYjiSNg9lwXnjSCejhv1va4yIUhPpMDYZ-mK4uDb9FQldR1zp3Y1RiOwx4jX;
 expires=Fri, 17-Nov-2017 17:38:30 GMT; path=/; domain=.google.com; HttpOnly
< X-Cache: MISS from leli.rbs.com.br
< X-Cache-Lookup: MISS from leli.rbs.com.br:3128
< Via: 1.0 leli.rbs.com.br (squid/3.1.23)
* HTTP/1.0 connection set to keep alive!
< Connection: keep-alive
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A 
HREF="http://www.google.com.br/?gws_rd=cr&amp;ei=FtwdWdaDMYm0wQSWwZ24Ag";>here</A>.
</BODY></HTML>
* Connection #0 to host www.google.com left intact
* Closing connection #0
[root@montana rules]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 58M packets, 4835M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 2487K packets, 184M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2487K packets, 184M bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0  
         tcp dpt:80
    0     0 PROXYSQUID  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0  
         tcp dpt:443

Chain PROXYSQUID (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            
192.168.0.0/16
    0     0 RETURN     all  --  *      *       0.0.0.0/0            
189.76.144.0/20
    0     0 RETURN     all  --  *      *       0.0.0.0/0            
189.76.156.190
    0     0 RETURN     all  --  *      *       0.0.0.0/0            
172.16.0.0/12
    0     0 RETURN     all  --  *      *       0.0.0.0/0            10.0.0.0/8
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
        to:10.240.68.68:3128
[root@montana rules]#

On my new Squid Server running 3.5.20 on Centos 7 a try to use in many 
different ways but have no success.

I will send my steps on a new reply email in few minutes because the email size.

Sorry about all this log of information.



Rogério Ceni Coelho
Engenheiro de Infraestrutura - Infrastructure Engineer
Diretoria de TI e Telecom - Grupo RBS
Fone: +55 (51) 3218-6983
Celular: +55 (51) 8186-2933 Claro
Celular: +55 (51) 8050-4225 Vivo
[email protected]
http://www.gruporbs.com.br



Esta mensagem e quaisquer anexos são exclusivamente para o uso da parte 
endereçada e poderão conter dados privilegiados e confidenciais. Caso o leitor 
da mensagem não seja a parte a quem ela foi endereçada, nem um representante 
autorizado da mesma, ficará notificado, por meio desta, que qualquer divulgação 
desta comunicação é estritamente proibida. Se esta comunicação for recebida 
erroneamente, por favor, notifique-nos disto imediatamente por e-mail e delete 
a mensagem  e quaisquer anexos a ela de seu sistema.



O Grupo RBS pauta sua atuação por seu Código de Ética e Conduta, em 
conformidade com a Legislação Brasileira. Qualquer situação irregular deve ser 
informada via Canal de Ética pelo site 
https://www.contatoseguro.com.br/gruporbs ou 0800 602 1831. Este e-mail e seus 
anexos podem conter informações confidenciais. Se você recebeu esta mensagem 
por engano, por favor apague-a e notifique o remetente imediatamente.
_______________________________________________
squid-users mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] New Squid Server 3.5.20 on Centos 7 - Trying to redirect local web access to Port 80 on Linux Servers with iptables to Squid Server with http_port intercept

Reply via email to