Just a basic question: is there an ACL allowing your hosts in
squid.conf? Squid will promptly answer with a 403 error otherwise.
Em 20/07/2016 16:42, Guilherme Scaglia escreveu:
Hi.
I've being trying to setup a local squid server on my home LAN to
cache HTTP (not HTTPS) pages. I want to avoid any client
configuration, so I'm aiming for a transparent proxy - with squid in
intercept mode.
In my network setup, the squid server is inside the LAN together with
its clients, and not siting between the clients and the router/modem
like all guides assume. Furthermore, requests originating from the
same machine where squid is running should be cached as well.
I've setup squid inside a docker container, on a fedora 24 image. The
squid version is 3.5.19. On squid.conf I've added a new http_port
line, for port 8080 with the intercept flag:
http_port 8080 intercept
My router is a Mikrotik router board, so it's trivial to setup
a DNAT rule to redirect all TCP requests to the squid server. To avoid
forward loops, I've marked all packets originating from squid with
DSCP 4 using iptables rules, and excluded those from the DNAT rule on
the router. I've tested this by running wget requests from inside the
docker container, and those went by without any redirection.
Now comes the problem:
When any of the redirected requests reach squid, squid will reply
instantly with TCP_MISS/403. Since all traffic from the squid machine
is marked with a specific DSCP, it's also easy to see squid made no
requests to the outside world before giving that reply. Running
tcpdump on the host machine shows no other packets are being sent
other than the 403 reply.
What's happening? why doesn't squid tries to fetch the request pages
at all?
From my understanding, my setup is roughly equivalent to
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat, only
the DNAT is happening outside the squid box; There is no reason this
should interfere with anything.
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
seens to recommend routing without DNAT; This seems weird, as the only
way I can see this working is if the squid machine accepted packets to
any address as their own.
TL;DR:
When running squid in intercept mode, inside a docker container,
routing traffic to it through dst-nat rules on a external router,
squid will reply with '403 forbidden' to all requests. Access.log
lists TCP_MISS/403, but tcpdump indicates that squid is never trying
to query the requested page at all.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
