I ended up using redsocks for doing the transparent proxy, that is working perfectly for me now. I don't need to configure squid for this after all.
On Wed, Feb 24, 2021 at 7:21 AM Justin Schwartzbeck <justinms...@gmail.com> wrote: > I believe I have solved the forwarding loop issue by adding a preceding > rule to -j ACCEPT all traffic originating from the docker network. Now I > still have the SSL_ERROR_RX_RECORD_TOO_LONG issue, which seems to be > unrelated. I will set logging to debug and do a wireshark session to see > what might be going on. > > Get BlueMail for Android <http://www.bluemail.me/r?b=16470> > On Feb 23, 2021, at 8:14 PM, Justin Michael Schwartzbeck < > justinms...@gmail.com> wrote: >> >> Hi all, >> >> For some years I have used squid 3.5 with SSL bump and transparent proxy >> locally on my laptop. I have been using the following in my squid.conf: >> >> >> ssl_bump server-first all >> http_port 3128 >> http_port 3129 intercept >> http_port 3130 ssl-bump intercept generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/bluestar.crt >> key=/etc/squid/ssl/bluestar.pem >> >> >> So if I want to manually set the proxy on the client side, I use port >> 3128, but by default all http/https traffic is redirected to port 3129 and >> 3130, respectively. Here are my iptables rules: >> >> >> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner >> root -j RETURN >> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner >> dockeruser -j RETURN >> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports >> 3129 >> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner >> root -j RETURN >> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner >> dockeruser -j RETURN >> iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT >> --to-ports 3130 >> >> >> dockeruser is the user that starts the docker container, and proxy is the >> actual squid user. I didn't know which one I needed a rule for, so I just >> chose both. >> >> As I said before, this worked great when I was running squid 3.5 on bare >> metal. Now I am running squid 4 in a docker container. I am seeing the >> following error many times in the squid logs when I try to use the >> transparent proxy: >> >> >> 2021/02/24 01:45:17| WARNING: Forwarding loop detected for: >> >> GET /success.txt HTTP/1.1 >> >> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 >> Firefox/78.0 >> >> Accept: */* >> >> Accept-Language: en-US,en;q=0.5 >> >> Accept-Encoding: identity,gzip,deflate >> >> Pragma: no-cache >> >> Via: 1.1 19deb96addda (squid/4.11) >> >> X-Forwarded-For: 172.18.0.1 >> >> Cache-Control: no-cache >> >> Host: detectportal.firefox.com >> >> >> And from firefox I see this: >> >> WARNING: Forwarding loop detected for >> >> SSL_ERROR_RX_RECORD_TOO_LONG >> >> >> I feel like I am very close, but I'm not sure what I am missing. Does >> someone else know of a better way to do this? I had assumed that since I >> publish the ports, I should be able to redirect to them the same way I >> would if squid were running locally. >> >> >> I would appreciate any help in figuring this out. >> >> Thanks, >> >> -Justin >> >> >>
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
