# Squid doesn't work as tranparent proxy

## newby

All work fine if i set up proxy settings in broser, but if i redirect with iptables i got message like :

```

While trying to retrieve the URL: http://dc.meganet.lt:81/indexx.php

The following error was encountered:

    * Access Denied.

      Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. 

Your cache administrator is root.

Generated Sat, 07 Oct 2006 21:54:35 GMT by darius.potencial.us (squid/2.6.STABLE4) 

```

( i testing with 81 port)

i have compiled squid with ipf-transparent pam pf-transparent ssl  USE flags,

And there is my squid.conf

```

http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

cache_mem 16 MB

maximum_object_size 4096 KB

cache_dir ufs /home/cache 500 16 256

access_log /var/log/squid/access.log squid

 debug_options ALL,1 33,2 28,9

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern .               0       20%     4320

acl all src 0.0.0.0/0.0.0.0

acl my-network src 192.168.0.0/255.255.255.0

#acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_ports port 80          # http

acl Safe_ports port 81

acl Safe_ports port 21          # ftp

acl Safe_ports port 443 563     # https, snews

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl Safe_ports port 901         # SWAT

acl purge method PURGE

http_access deny all

http_access allow purge localhost

http_access allow localhost

http_access allow my-network

http_reply_access allow all

icp_access allow all

forwarded_for on

offline_mode off

```

there is my cache.log file

```

2006/10/08 00:57:32| aclCheckFast: list: 0x7744b8

2006/10/08 00:57:32| aclMatchAclList: checking all

2006/10/08 00:57:32| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'

2006/10/08 00:57:32| aclMatchIp: '88.222.49.193' found

2006/10/08 00:57:32| aclMatchAclList: returning 1

2006/10/08 00:57:33| aclCheck: checking 'http_access allow all'

2006/10/08 00:57:33| aclMatchAclList: checking all

2006/10/08 00:57:33| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'

2006/10/08 00:57:33| aclMatchIp: '88.222.49.193' found

2006/10/08 00:57:33| aclMatchAclList: returning 1

2006/10/08 00:57:33| aclCheck: match found, returning 1

2006/10/08 00:57:33| aclCheckCallback: answer=1

2006/10/08 00:57:33| The request GET http://dc.meganet.lt:81/indexx.php is ALLOWED, because it matched 'all'

2006/10/08 00:57:33| aclCheck: checking 'cache deny QUERY'

2006/10/08 00:57:33| aclMatchAclList: checking QUERY

2006/10/08 00:57:33| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?'

2006/10/08 00:57:33| aclMatchRegex: checking '/indexx.php'

2006/10/08 00:57:33| aclMatchRegex: looking for 'cgi-bin'

2006/10/08 00:57:33| aclMatchRegex: looking for '\?'

2006/10/08 00:57:33| aclMatchAclList: no match, returning 0

2006/10/08 00:57:33| aclCheck: NO match found, returning 1

2006/10/08 00:57:33| aclCheckCallback: answer=1

2006/10/08 00:57:33| aclCheckFast: list: 0x774668

2006/10/08 00:57:33| aclMatchAclList: checking all

2006/10/08 00:57:33| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'

2006/10/08 00:57:33| aclMatchIp: '88.222.49.193' found

2006/10/08 00:57:33| aclMatchAclList: returning 1

2006/10/08 00:57:33| aclCheck: checking 'http_reply_access allow all'

2006/10/08 00:57:33| aclMatchAclList: checking all

2006/10/08 00:57:33| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'

2006/10/08 00:57:33| aclMatchIp: '88.222.49.193' found

2006/10/08 00:57:33| aclMatchAclList: returning 1

2006/10/08 00:57:33| aclCheck: match found, returning 1

2006/10/08 00:57:33| aclCheckCallback: answer=1

2006/10/08 00:57:33| The reply for GET http://dc.meganet.lt:81/indexx.php is ALLOWED, because it matched 'all'

```

i realy don't know where i made mistake  :Sad: 

----------

## Norick

```
http_port 3128 transparent

https_port 3128 transparent

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

cache_mem 8 MB

maximum_object_size 4096 KB

minimum_object_size 0 KB

maximum_object_size_in_memory 8 KB

cache_dir ufs /var/cache/squid 100 16 256

access_log /var/log/squid/access.log squid

cache_log /var/log/squid/cache.log

cache_store_log /var/log/squid/store.log

mime_table /etc/squid/mime.conf

pid_filename /var/run/squid.pid

ftp_passive on

ftp_sanitycheck on

hosts_file /etc/hosts

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern .               0       20%     4320

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443 563     # https, snews

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl Safe_ports port 901         # SWAT

acl purge method PURGE

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

acl my_network src SECRET/TOP

acl clients src SECRET/TOP

http_access allow my_network

http_access allow clients

http_access allow localhost

http_access deny all

http_reply_access allow all

icp_access allow all

cache_mgr root

cache_effective_user squid

cache_effective_group squid

visible_hostname SECRET

forwarded_for off

coredump_dir /var/cache/squid

```

```

$IPT -t nat -A PREROUTING -p tcp -s SECRET/TOP --dport 80 -j REDIRECT --to-port 3128

```

```

USE="logrotate pam sasl snmp ssl -customlog -follow-xff -ipf-transparent -ldap -nis -pf-transparent (-selinux) -underscores -zero-penalty-hit"

```

This one works..

----------

## mrness

try adding

```
always_direct allow all
```

----------

## converter

 *newby wrote:*   

> All work fine if i set up proxy settings in broser, but if i redirect with iptables i got message like :
> 
> ```
> 
> While trying to retrieve the URL: http://dc.meganet.lt:81/indexx.php
> ...

 

Read /usr/portage/profiles/use.local.desc carefully, two of the USE flags you list are for BSD only:

```

net-proxy/squid:ipf-transparent - Adds transparent proxy support for systems using IP-Filter (only for *bsd)

net-proxy/squid:pf-transparent - Adds transparent proxy support for systems using PF (only for *bsd)

```

Visit the Squid wiki InterceptionProxy page and follow the instructions listed there.

 *Quote:*   

> 
> 
> And there is my squid.conf
> 
> ```
> ...

 

----------

## newby

i added 

```

always_direct allow all

```

 but it doesn't help

i try use Norick config, but doesn't help too, i try recompile with use flags like Norick's, but still get some error.

Maybe is alternative for squid (transparent proxy for caching (small network, 9-10 computer) ), with easy config?

----------

## converter

Did you read the squid wiki and follow the directions there?

The "access denied" page you list suggests that the squid.conf ACLs were not permitting requests from the IP address you were attempting access from.

The address listed in the log (88.222.49.193) would be denied access by the squid.conf you pasted because it's not part of any src definition that is given access with http_access allow.

Your cache.log snippet shows the routable IP listed above passing for 'allow all', yet the squid.conf you pasted doesn't include "http_access allow all".

If you want to figure this out you should be sure that the squid.conf you include is exactly what you were using when you generated any log output you paste.

Remember that if you change the squid configuration you need to tell squid to reconfigure itself, or restart it. The cheapest way to do this is to send a HUP signal with:

```
squid -k reconfigure
```

What does /var/log/squid/access.log show for the denied requests? It's important that we see the entire conversation between the cache and the client, including http response codes.

When you set up for transparent (intercept) mode, did you disable the proxy in your browser settings?

You can test from the command line on the box that the cache is running on, using the squidclient utility. To test a request from a client included in the network defined as my-network:

```

squidclient -l 192.168.0.1 "http://dc.meganet.lt:81/indexx.php"   # that's DASH LOWER CASE 'L'

```

If the request is accepted and all goes well, squidclient should proceed to dump the site content to the console.

----------

## newby

sorry, my mistake, than i post incorect info, i tried many different settings (i can't leave "allow all" for long time), and take log from different time. 

there is last logs, taked at same time.

I disable proxy settings in browser

i run  squidclient -l 192.168.0.1 "http://dc.meganet.lt"

```

HTTP/1.0 302 Moved Temporarily

Date: Sun, 08 Oct 2006 19:32:03 GMT

Server: Apache

X-Powered-By: PHP/4.4.2

Location: http://dc.meganet.lt:81/indexx.php

Content-Length: 0

Content-Type: text/html

X-Cache: MISS from darius.potencial.us

X-Cache-Lookup: MISS from darius.potencial.us:3128

Via: 1.0 darius.potencial.us:3128 (squid/2.6.STABLE4)

Proxy-Connection: close

```

cache.log

```

2006/10/08 22:36:18| aclCheckFast: list: 0x7804d8

2006/10/08 22:36:18| aclMatchAclList: checking all

2006/10/08 22:36:18| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'

2006/10/08 22:36:18| aclMatchIp: '192.168.0.1' found

2006/10/08 22:36:18| aclMatchAclList: returning 1

2006/10/08 22:36:19| aclCheck: checking 'http_access allow manager localhost'

2006/10/08 22:36:19| aclMatchAclList: checking manager

2006/10/08 22:36:19| aclMatchAcl: checking 'acl manager proto cache_object'

2006/10/08 22:36:19| aclMatchAclList: no match, returning 0

2006/10/08 22:36:19| aclCheck: checking 'http_access deny manager'

2006/10/08 22:36:19| aclMatchAclList: checking manager

2006/10/08 22:36:19| aclMatchAcl: checking 'acl manager proto cache_object'

2006/10/08 22:36:19| aclMatchAclList: no match, returning 0

2006/10/08 22:36:19| aclCheck: checking 'http_access allow purge localhost'

2006/10/08 22:36:19| aclMatchAclList: checking purge

2006/10/08 22:36:19| aclMatchAcl: checking 'acl purge method PURGE'

2006/10/08 22:36:19| aclMatchAclList: no match, returning 0

2006/10/08 22:36:19| aclCheck: checking 'http_access deny purge'

2006/10/08 22:36:19| aclMatchAclList: checking purge

2006/10/08 22:36:19| aclMatchAcl: checking 'acl purge method PURGE'

2006/10/08 22:36:19| aclMatchAclList: no match, returning 0

2006/10/08 22:36:19| aclCheck: checking 'http_access deny !Safe_ports'

2006/10/08 22:36:19| aclMatchAclList: checking !Safe_ports

2006/10/08 22:36:19| aclMatchAcl: checking 'acl Safe_ports port 80          # http'

2006/10/08 22:36:19| aclMatchAclList: no match, returning 0

2006/10/08 22:36:19| aclCheck: checking 'http_access deny CONNECT !SSL_ports'

2006/10/08 22:36:19| aclMatchAclList: checking CONNECT

2006/10/08 22:36:19| aclMatchAcl: checking 'acl CONNECT method CONNECT'

2006/10/08 22:36:19| aclMatchAclList: no match, returning 0

2006/10/08 22:36:19| aclCheck: checking 'http_access allow my_network'

2006/10/08 22:36:19| aclMatchAclList: checking my_network

2006/10/08 22:36:19| aclMatchAcl: checking 'acl my_network src 192.168.0.0/255.255.255.0'

2006/10/08 22:36:19| aclMatchIp: '192.168.0.1' found

2006/10/08 22:36:19| aclMatchAclList: returning 1

2006/10/08 22:36:19| aclCheck: match found, returning 1

2006/10/08 22:36:19| aclCheckCallback: answer=1

2006/10/08 22:36:19| The request GET http://dc.meganet.lt is ALLOWED, because it matched 'my_network'

2006/10/08 22:36:19| aclCheck: checking 'cache deny QUERY'

2006/10/08 22:36:19| aclMatchAclList: checking QUERY

2006/10/08 22:36:19| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?'

2006/10/08 22:36:19| aclMatchRegex: checking ''

2006/10/08 22:36:19| aclMatchRegex: looking for 'cgi-bin'

2006/10/08 22:36:19| aclMatchRegex: looking for '\?'

2006/10/08 22:36:19| aclMatchAclList: no match, returning 0

2006/10/08 22:36:19| aclCheck: NO match found, returning 1

2006/10/08 22:36:19| aclCheckCallback: answer=1

2006/10/08 22:36:19| aclCheckFast: list: (nil)

2006/10/08 22:36:19| aclCheckFast: no matches, returning: 1

2006/10/08 22:36:19| aclCheckFast: list: 0x780688

2006/10/08 22:36:19| aclMatchAclList: checking all

2006/10/08 22:36:19| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'

2006/10/08 22:36:19| aclMatchIp: '192.168.0.1' found

2006/10/08 22:36:19| aclMatchAclList: returning 1

2006/10/08 22:36:19| aclCheck: checking 'http_reply_access allow all'

2006/10/08 22:36:19| aclMatchAclList: checking all

2006/10/08 22:36:19| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'

2006/10/08 22:36:19| aclMatchIp: '192.168.0.1' found

2006/10/08 22:36:19| aclMatchAclList: returning 1

2006/10/08 22:36:19| aclCheck: match found, returning 1

2006/10/08 22:36:19| aclCheckCallback: answer=1

2006/10/08 22:36:19| The reply for GET http://dc.meganet.lt is ALLOWED, because it matched 'all'

```

access.log

```

1160336179.077      4 192.168.0.1 TCP_MISS/302 374 GET http://dc.meganet.lt - DIRECT/88.222.0.4 text/html

```

squid.conf

```

http_port 3128 transparent

https_port 3128 transparent

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

cache_mem 8 MB

maximum_object_size 4096 KB

minimum_object_size 0 KB

maximum_object_size_in_memory 8 KB

cache_dir ufs /var/cache/squid 100 16 256

access_log /var/log/squid/access.log squid

cache_log /var/log/squid/cache.log

cache_store_log /var/log/squid/store.log

mime_table /etc/squid/mime.conf

pid_filename /var/run/squid.pid

ftp_passive on

ftp_sanitycheck on

hosts_file /etc/hosts

debug_options ALL,1 33,2 28,9

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern .               0       20%     4320

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_ports port 80          # http

acl Safe_ports port 81

acl Safe_ports port 21          # ftp

acl Safe_ports port 443 563     # https, snews

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl Safe_ports port 901         # SWAT

acl purge method PURGE

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

acl my_network src 192.168.0.0/255.255.255.0

acl clients src 88.222.49.193

http_access allow my_network

http_access allow clients

http_access allow localhost

http_access deny all

http_reply_access allow all

icp_access allow all

cache_mgr root

cache_effective_user squid

cache_effective_group squid

visible_hostname darius.potencial.us

forwarded_for off

coredump_dir /var/cache/squid

```

iptables -t nat --line-numbers -nvxL | grep 3128  #eth2 WAN interface

```

1           0        0 REDIRECT   tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:81 redir ports 3128

1           0        0 REDIRECT   tcp  --  *      eth2    0.0.0.0/0            0.0.0.0/0           tcp dpt:81 redir ports 3128

```

----------

## converter

The 302 response from the target server should be passed back to your client by squid, then your client should make another request to port 81. It would be helpful to see that request conversation in the logs. You can also test the request to port 81 with squidclient by appending :81 to the authority part of the URL:

squidclient -l 192.168.0.1 "http://dc.meganet.lt:81"

----------

## mrness

In a transparent web proxy setup you need to redirect through the cache the standard web port, namely 80. 

I don't know if squid is capable to function as a transparent proxy for additional ports.

----------

