Re: [squid-users] Squid Intercept Issue

Thu, 17 Apr 2025 23:36:43 -0700 

On 18/04/25 00:32, manoj ramakrishna95 wrote:

Hello Team,
I hope you are well, been working on the powerful squid proxy for the past few months and have been struck at the dead end while setting up a transparent proxy. 
My goal is to set up a squid proxy as a transparent proxy for http.
Below is the config file(have included only the important part not all),
I have a fedora box as a client where I have mentioned the squid proxy ip and a demo website in 
/etc/hosts file forcing it to go through the squid proxy.
my.squid.ip.address www.neverssl.com
The setup you have on your client is trying to use the proxy as if it were an origin server. Squid receives such traffic with: 

  http_port 80 accel

  https_port 443 accel \
     tls-cert=/cert/and/key/for/neverssl.com.pem
For transparent proxy, it is your network router which needs rules passing port 80/443 traffic from client->Internet to the proxy machine. 




And on the server is the below configuration and output which I have shared.
_________
http_port 0.0.0.0:3128
http_port 192.168.124.130:3130 intercept
acl SSL_ports port 443
acl Safe_ports port 80 443 3128 3129 3130 3131 21 70 210 280 488 591 777 1025-65535 
# === ACLs and Access Rules ===
acl localnet src 192.168.124.0/24
acl fedora_client src 192.168.0.0/16
acl localhost src 127.0.0.1/32
acl SSL_ports port 443
acl Safe_ports port 80 443 3128 3129 3130 3131 21 70 210 280 488 591 777 1025-65535 
acl CONNECT method CONNECT
http_access allow all


Please restore the basic security protections:

 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports

...


____________
Below are the iptables rule
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  #iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
  #iptables -A INPUT -p tcp --dport 3130 -j ACCEPT
#iptables -t nat -A PREROUTING -i enp1s0 -p tcp --dport 80 -j REDIRECT --to-port 3130
Okay. You should also have a MASQUERADE rule, and a "mangle" table protection against malware hijacking your proxies intercept port. 

See <https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>


HTH
Amos

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Reply via email to