Hello, this is a cross post from the squid mailing list. I'm trying to run squid proxy within a network namespace. Despite what I believe is a well configured unit, when I send a curl request over the proxy, the IP shown is the one from the physical net namespace instead of the one I want the unit to run into (`vpn`), which means the process is not running where I'd like for it to run.
I'm assuming it must be related to some specific behavior of `squid` (forking?), because if I use the same unit for `tinyproxy`, everything works as expected. **More details** I have configured a network namespace called `vpn`. That namespace only olds the VPN interface. I'm exploiting this neat trick for Wireguard: https://www.wireguard.com/netns/#the-new-namespace-solution, where you first create the wg0 interface in the "normal / physical namespace", then you move it into the dedicated one and things work :) This is how I have configured the `squid` unit: ❯ systemctl cat squid [Unit] Description=Squid Web Proxy Server Documentation=man:squid(8) After=local-fs.target network.target network-online.target nss-lookup.target [Service] Type=notify PIDFile=/run/squid.pid ExecStartPre=/usr/sbin/squid --foreground -z ExecStart=/usr/sbin/squid --foreground -sYC ExecReload=/bin/kill -HUP $MAINPID KillMode=mixed NotifyAccess=all [Install] WantedBy=multi-user.target # /etc/systemd/system/squid.service.d/override.conf [Service] NetworkNamespacePath=/run/netns/vpn BindReadOnlyPaths=/etc/netns/vpn/resolv.conf:/etc/resolv.conf:norbind [Unit] After=vpn.service BindsTo=vpn.service Squid Configuration ------------------- ❯ cat /etc/squid/squid.conf acl SSL_ports port 443 acl Safe_ports port 80 http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost http_access deny to_localhost http_access deny to_linklocal http_access deny all http_port 3129 cache deny all coredump_dir /var/cache/squid access_log stdio:/dev/null ❯ journalctl -b -u squid -e Jan 04 23:43:17 xxxx systemd[1]: Starting Squid Web Proxy Server... Jan 04 23:43:17 xxxx squid[107280]: 2026/01/04 23:43:17| Processing Configuration File: /etc/squid/squid.conf (depth 0) Jan 04 23:43:17 xxxx squid[107280]: 2026/01/04 23:43:17| Created PID file (/run/squid.pid) Jan 04 23:43:17 xxxx squid[107280]: Squid Parent: will start 1 kids Jan 04 23:43:17 xxxx squid[107280]: Squid Parent: (squid-1) process 107282 started Jan 04 23:43:17 xxxx squid[107282]: 2026/01/04 23:43:17 kid1| Processing Configuration File: /etc/squid/squid.conf (depth 0) Jan 04 23:43:17 xxxx squid[107282]: 2026/01/04 23:43:17 kid1| Set Current Directory to /var/cache/squid Jan 04 23:43:17 xxxx squid[107282]: 2026/01/04 23:43:17 kid1| Creating missing swap directories Jan 04 23:43:17 xxxx squid[107282]: 2026/01/04 23:43:17 kid1| No cache_dir stores are configured. Jan 04 23:43:17 xxxx squid[107280]: Squid Parent: squid-1 process 107282 exited with status 0 Jan 04 23:43:17 xxxx squid[107280]: 2026/01/04 23:43:17| Removing PID file (/run/squid.pid) Jan 04 23:43:17 xxxx squid[107283]: Processing Configuration File: /etc/squid/squid.conf (depth 0) Jan 04 23:43:17 xxxx squid[107283]: Created PID file (/run/squid.pid) Jan 04 23:43:17 xxxx squid[107283]: Squid Parent: will start 1 kids Jan 04 23:43:17 xxxx squid[107283]: Squid Parent: (squid-1) process 107287 started Jan 04 23:43:17 xxxx squid[107287]: Processing Configuration File: /etc/squid/squid.conf (depth 0) Jan 04 23:43:17 xxxx squid[107287]: Set Current Directory to /var/cache/squid Jan 04 23:43:17 xxxx squid[107287]: Starting Squid Cache version 7.3 for x86_64-pc-linux-gnu... Jan 04 23:43:17 xxxx squid[107287]: Service Name: squid Jan 04 23:43:17 xxxx squid[107287]: Process ID 107287 Jan 04 23:43:17 xxxx squid[107287]: Process Roles: worker Jan 04 23:43:17 xxxx squid[107287]: With 1024 file descriptors available Jan 04 23:43:17 xxxx squid[107287]: Initializing IP Cache... Jan 04 23:43:17 xxxx squid[107287]: DNS IPv6 socket created at [::], FD 7 Jan 04 23:43:17 xxxx squid[107287]: DNS IPv4 socket created at 0.0.0.0, FD 8 Jan 04 23:43:17 xxxx squid[107287]: Adding nameserver 10.128.0.1 from /etc/resolv.conf Jan 04 23:43:17 xxxx squid[107287]: Adding nameserver fd7d:76ee:e68f:a993::1 from /etc/resolv.conf Jan 04 23:43:17 xxxx squid[107287]: Logfile: opening log stdio:/dev/null Jan 04 23:43:17 xxxx squid[107287]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec Jan 04 23:43:17 xxxx squid[107287]: Store logging disabled Jan 04 23:43:17 xxxx squid[107287]: Swap maxSize 0 + 262144 KB, estimated 20164 objects Jan 04 23:43:17 xxxx squid[107287]: Target number of buckets: 1008 Jan 04 23:43:17 xxxx squid[107287]: Using 8192 Store buckets Jan 04 23:43:17 xxxx squid[107287]: Max Mem size: 262144 KB Jan 04 23:43:17 xxxx squid[107287]: Max Swap size: 0 KB Jan 04 23:43:17 xxxx squid[107287]: Using Least Load store dir selection Jan 04 23:43:17 xxxx squid[107287]: Set Current Directory to /var/cache/squid Jan 04 23:43:17 xxxx squid[107287]: Finished loading MIME types and icons. Jan 04 23:43:17 xxxx squid[107287]: HTCP Disabled. Jan 04 23:43:17 xxxx squid[107287]: Squid plugin modules loaded: 0 Jan 04 23:43:17 xxxx squid[107287]: Adaptation support is off. Jan 04 23:43:17 xxxx squid[107287]: Accepting HTTP Socket connections at conn3 local=[::]:3129 remote=[::] FD 10 flags=9 listening port: 3129 Jan 04 23:43:17 xxxx systemd[1]: Started Squid Web Proxy Server. d[107287]: Target number of buckets: 1008 Jan 04 23:43:17 gagazet squid[107287]: Using 8192 Store buckets Jan 04 23:43:17 gagazet squid[107287]: Max Mem size: 262144 KB Jan 04 23:43:17 gagazet squid[107287]: Max Swap size: 0 KB Jan 04 23:43:17 gagazet squid[107287]: Using Least Load store dir selection Jan 04 23:43:17 gagazet squid[107287]: Set Current Directory to /var/cache/squid Jan 04 23:43:17 gagazet squid[107287]: Finished loading MIME types and icons. Jan 04 23:43:17 gagazet squid[107287]: HTCP Disabled. Jan 04 23:43:17 gagazet squid[107287]: Squid plugin modules loaded: 0 Jan 04 23:43:17 gagazet squid[107287]: Adaptation support is off. Jan 04 23:43:17 gagazet squid[107287]: Accepting HTTP Socket connections at conn3 local=[::]:3129 remote=[::] FD 10 flags=9 listening port: 3129 Jan 04 23:43:17 gagazet systemd[1]: Started Squid Web Proxy Server. -- .. /**\ /****\ /\****/\ / \**/ \ / \/ \ / /\ /\ / \ / \ / \ / \ / \/ \ \ /\ /\ / \ / \ / \ / \/ \/ \/ /\ / +\ \+ / \/ rdb.is Book a meeting with me: https://calendly.com/rdbisme
