Re: [squid-users] transparent or intercept proxy with iptables and haproxy

Sun, 22 Jun 2025 10:49:30 -0700 

On 19.06.25 15:29, Brendan Kearney wrote:
i am trying to setup a transparent or intercept proxy, where a client does not know or is not configured to use a proxy, but winds up going through squid instances.  i have an iptables firewall, and can perform DNAT, 


DNAT is dangerous, because the proxy on remote machine loses the real IP the 
connection was directed to.
You need to use policy routing, where you forward packets on other host 
which will intercept the connections itself.



to point the traffic at a haproxy VIP.  the haproxy VIP will use 
least-conn load balancing to pick which of my 3 squid instances to 
send the traffic to.  i would like to configure the squid instances to 
handle the traffic coming in this way.



i am unclear as to the differences between intercept and tproxy, so 
some clarity there would be helpful.



"intercept" intercepts connection to remote hosts and handles it (and 
replies) locally.  
The proxy fakes being the destination server to the client.



"tproxy" does the same, but even changes the client's IP, as if the 
connection came from client

The proxy fakes being the client to the server (in addition to the above).


You don't need tproxy if your clients and proxy are behind NAT, translating 
to the same IP.



i believe transparent requires 
that the NAT'ing be done "on-box" as opposed to across the network by 
my router.  is this accurate?  are there any other differences?  which 
is the appropriate mechanism for my use case?


Again, don't to DNAT.


If you redirect HTTP connections on your router to the proxy, use policy 
routing and do intercept on the proxy.



the connection chain would look something like this:


client -> router (DNAT to VIP) -> haproxy VIP (port 3129, SNAT to VIP 
IP) -> squid (port 3129) -> internet



is this kind of config viable, and if so, what pieces do i have 
wrong?  in this scenario is transparent or intercept the proper means 
within squid?


You need to find out how HAPROXY handles intercepted connections.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users






















					Reply via email to