+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Internet Related/Filtering/Firewall Thread, Squid Transparent Proxy Issues in Technical; I have setup a VM running Linux 12.04 Server with Squid 3 installed, however I am having some issues making ...
  1. #1

    Join Date
    Oct 2011
    Location
    Lincolnshire
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Squid Transparent Proxy Issues

    I have setup a VM running Linux 12.04 Server with Squid 3 installed, however I am having some issues making it work transparently. I have added Transparent to the http_port line in squid.conf and I have added the following routing rule;

    sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.10:3128

    I have setup ACLs correctly to allow for my network (192.168.1.0/24 and for the localhost) and seem to be working, on my client machine I have setup the following IP settings;

    IP Address: 192.168.1.44
    Sub mask: 255.255.255.0
    Gateway: 192.168.1.10
    DNS: 192.168.1.10

    If I point IE's proxy settings to 192.168.1.10 on port 80 all works fine, I can browse to sites no problem, however once I take the proxy settings out I am unable to browse to sites using the Hostname, but If I browse to an IP (74.125.224.72 for google) it works fine.

    The Squid VM has eth1 (LAN Side) configured on the 192 and eth0 is on 10.xxx.xxx.xx (WAN Side), an upstream proxy to LSN is also setup in the squid.conf. Both my DNS Servers on the WAN side of the squid are setup in the resolv.conf file, I have also tried adding them into the squid.conf using dns_nameservers option.

    No matter what I try I can't seem to be able to browse to sites using the FQDN, but can using an IP when in Transparent mode.

    Any ideas would be much appreciated!

    Rob

  2. #2


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,485
    Thank Post
    867
    Thanked 854 Times in 675 Posts
    Rep Power
    197
    IS DNS pooched on your client machine? With a traditional proxy you can get away with it, as the proxy does lookups, with transparent, the client does lookups.

  3. #3

    Join Date
    Oct 2011
    Location
    Lincolnshire
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Yep, tried putting the dns servers in squid.conf, still no luck :/

    cheers,

    Rob

  4. #4

    Join Date
    Oct 2011
    Location
    Lincolnshire
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    @tom_newton pooched? sorry I dont follow

  5. #5

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    2,028
    Thank Post
    120
    Thanked 513 Times in 347 Posts
    Blog Entries
    2
    Rep Power
    288
    Quote Originally Posted by robjcrowston View Post
    Yep, tried putting the dns servers in squid.conf, still no luck :/

    cheers,

    Rob
    I deleted my post after I saw you'd already tried this.

  6. #6
    robk's Avatar
    Join Date
    Nov 2005
    Location
    Ashbourne
    Posts
    549
    Thank Post
    179
    Thanked 130 Times in 109 Posts
    Blog Entries
    1
    Rep Power
    49
    Quote Originally Posted by robjcrowston View Post
    @tom_newton pooched? sorry I dont follow
    Broken, fudged or otherwise not working is what I suspect Tom means.

    For transparent to work the client PC needs to know where to find all websites, not just local ones.

  7. #7

    Join Date
    Oct 2011
    Location
    Lincolnshire
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Okay, so DNS lookups are not working, What is best practise? should i install something like dnsmasq on my squid server to handle this? As these clients are on a different subnet they wont see our main DNS servers.

    I wasnt aware that the proxy wouldnt handle lookups in Transparent mode.

    Thanks,

    Rob

  8. #8

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    BIND should handle DNS on you server from a basic install.

    then just set that as the DNS server on the clients.

  9. #9

    Join Date
    Oct 2011
    Location
    Lincolnshire
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Fantastic! thank you! Installed BIND and its working now, Just need to figure out https now! haha

    Cheers,

    Rob

  10. #10

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    https does not work through squid transparent .

    or at least that used to be the case.

    http://blog.davidvassallo.me/2011/03...-interception/

    Sugests it may be possible.
    Last edited by twin--turbo; 9th November 2012 at 02:25 PM.

  11. #11
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    818
    Thank Post
    84
    Thanked 136 Times in 116 Posts
    Blog Entries
    8
    Rep Power
    32
    Quote Originally Posted by robjcrowston View Post
    Just need to figure out https now! haha
    You're going to have a barrel of fun with this one. I eventually settled for making Squid work as a captive portal and redirecting people to a locally hosted page with directions for setting their browser to use it as a proxy instead of relying on transparent.

  12. #12

    Join Date
    Oct 2011
    Location
    Lincolnshire
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    ah! sounds like that isnt going to work then, All I really want https for is our OWA, Is there a simple way of directing HTTPS request to DIRECT on my squid box? so I could provide an internal link to the exchange server?

    Iv had a play creating Routing Rules for this but im not having much luck!

    Thanks for all your help,

    Rob

  13. #13

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    can you not just put in a proxy exception for the OWA server in the browser?

    Rob

  14. #14

    Join Date
    Oct 2011
    Location
    Lincolnshire
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Unfortunately not, as the reason for the Transparent Proxy is so users who bring in their own devices don't have to do any configuration of their browsers, I was hoping for something more on the lines of a Server Side exception? if thats possible

  15. #15
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    818
    Thank Post
    84
    Thanked 136 Times in 116 Posts
    Blog Entries
    8
    Rep Power
    32
    Then if all you're looking to do is make this exception for OWA then it needs to be done with iptables. What you need to do is create a rule that routes all traffic destined to the OWA server directly to it and place it higher in the list than your port 80 redirect. I can't tell you how to do this off the top of my head though; it's time to practice some Googel-Fu.
    Last edited by Duke5A; 12th November 2012 at 07:30 PM.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. [Ubuntu] squid transparent proxy cache questions
    By RabbieBurns in forum *nix
    Replies: 13
    Last Post: 19th October 2012, 11:53 AM
  2. Squid transparent proxying
    By MK-2 in forum *nix
    Replies: 46
    Last Post: 4th June 2008, 11:26 AM
  3. Squid - Transparent - HTTPS Issue
    By ahuxham in forum *nix
    Replies: 1
    Last Post: 25th May 2008, 11:04 AM
  4. Squid Transparent Proxy.
    By Jackd in forum Network and Classroom Management
    Replies: 2
    Last Post: 25th July 2007, 06:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •