[squid-users] Squid Intercept Issue

[manoj ramakrishna95]

Hello Team,

I hope you are well, been working on the powerful squid proxy for the past
few months and have been struck at the dead end while setting up a
transparent proxy.
My goal is to set up a squid proxy as a transparent proxy for http.
Below is the config file(have included only the important part not all),
I have a fedora box as a client where I have mentioned the squid proxy ip
and a demo website in
/etc/hosts file forcing it to go through the squid proxy.
my.squid.ip.address     www.neverssl.com

And on the server is the below configuration and output which I have shared.
_________
http_port 0.0.0.0:3128
http_port 192.168.124.130:3130 intercept
acl SSL_ports port 443
acl Safe_ports port 80 443 3128 3129 3130 3131 21 70 210 280 488 591 777
1025-65535
# === ACLs and Access Rules ===
acl localnet src 192.168.124.0/24
acl fedora_client src 192.168.0.0/16
acl localhost src 127.0.0.1/32
acl SSL_ports port 443
acl Safe_ports port 80 443 3128 3129 3130 3131 21 70 210 280 488 591 777
1025-65535
acl CONNECT method CONNECT
http_access allow all

logformat MyLogFormat  ---> local_time="[%tl]" squid_service=%{service}note
squid_status=%Ss squid_hierarchy_status=%Sh |
lb_sessionid=%{X-SSL-sessionid}>h | **FLOW1** src_ip=%>a src_port=%>p
squid_ingress_ip=%>la squid_ingress_port=%>lp | **FLOW2**
squid_egress_ip=%<la squid_egress_port=%<lp dst_ip=%<a dst_host=%<A
dst_port=%<p ident_username=%[ui username=%[un request_method=%rm
request="%rm %ru HTTP/%rv" dst_url="%ru" status_code_from_server=%>Hs
status_code_to_client=%<Hs referer="%{Referer}>h"
user_agent="%{User-Agent}>h" protocol_version=%rv ** dns_response_time=%dt
response_time=%tr mime_type=%mt *XFER* total_request_size=%>st
total_reply_size=%<st ** %{src_zone}note %{dst_zone}note
%{method_category}note %{dst_category}note %{file_upload}note ** REQUEST
HEADERS %>h *** RESPONSE HEADERS %<h *** tag_returned=%et tag_string="%ea"
previous_hop_mac=%>eui peer_response_time=%<pt total_response_time=%<tt
*SSL* src_ssl_negotiated_version=%ssl::>negotiated_version
dst_ssl_negotiated_version=%ssl::<negotiated_version
src_tls_hello_version=%ssl::>received_hello_version
 dst_tls_hello_version=%ssl::<received_hello_version
src_tls_max_version=%ssl::>received_supported_version
dst_tls_max_version=%ssl::<received_supported_version
src_tls_cipher=%ssl::>negotiated_cipher
dst_tls_cipher=%ssl::<negotiated_cipher ssl_bump=%<bs
ssl_bump_mode=%ssl::bump_mode ssl_sni=%ssl::>sni
src_cert_subject="%ssl::>cert_subject" src_cert_issuer="%ssl::>cert_issuer"
dst_cert_subject="%ssl::<cert_subject" dst_cert_issuer="%ssl::<cert_issuer"
cert_errors="%ssl::<cert_errors" ssl_handshake="%>handshake" ***
error_page_presented=%err_code err_detail="%err_detail"
 rule_id=%{ruleid}note rule_type=%{ruletype}note
 XFF="%{X-Forwarded-For}>h" squid_dst_app=%{dst_app}note
SkipSsl=%{SkipSslDecrypt}note BrokenButTrusted=%{BrokenButTrusted}note | **
dns_response_time=%dt peer_response_time=%<pt total_response_time=%<tt
response_time=%tr |

__________
Below are the output for netstat
[root@redhat squid]# netstat -tulnp | grep -i squid
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN
     935/(squid-1)
tcp        0      0 192.168.124.130:3130    0.0.0.0:*               LISTEN
     935/(squid-1)
____________
Below are the iptables rule
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
 #iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
 #iptables -A INPUT -p tcp --dport 3130 -j ACCEPT
#iptables -t nat -A PREROUTING -i enp1s0 -p tcp --dport 80 -j REDIRECT
--to-port 3130
___________________
Below are the output of the logs (Flow 1: Is from client to proxy; Flow 2:
is from proxy to destination) while executing curl from the client. The
proxy is not reaching the destination server rather talking to itself.
**FLOW1** src_ip=192.168.124.1 src_port=53564
squid_ingress_ip=192.168.124.130 squid_ingress_port=3130
**FLOW2** squid_egress_ip=192.168.124.130 squid_egress_port=44378
dst_ip=192.168.124.130 dst_host=www.neverssl.com dst_port=3130
ident_username=- username=- request_method=GET request="GET
http://www.neverssl.com/ HTTP/1.1" dst_url="http://www.neverssl.com/";
status_code_from_server=403 status_code_to_client=403 referer="-"
user_agent="curl/8.9.1" protocol_version=1.1 ** dns_response_time=22
response_time=24 mime_type=text/html *XFER* total_request_size=132
total_reply_size=4127 ** - - - - - ** REQUEST HEADERS
User-Agent:%20curl/8.9.1%0D%0AAccept:%20*/*%0D%0AProxy-Connection:%20Keep-Alive%0D%0AHost:%
20www.neverssl.com%0D%0A *** RESPONSE HEADERS
HTTP/1.1%20403%20Forbidden%0D%0AServer:%20squid/5.5%0D%0AMime-Version:%201.0%0D%0ADate:%20Mon,%2007%20Apr%202025%2015:00:52%20GMT%0D%0AContent-Type:%20text/html;charset=utf-8%0D%0AContent-Length:%203633%0D%0AX-Squid-Error:%20ERR_ACCESS_DENIED
-------------------

P.S: Have good success on setting it up as explicit by setting the IP on
the browser. But that's not the ultimate goal.
I would appreciate any help that you can offer in this regard.

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users