Squid Transparent Proxy Issues

[robjcrowston]

I have setup a VM running Linux 12.04 Server with Squid 3 installed, however I am having some issues making it work transparently. I have added Transparent to the http_port line in squid.conf and I have added the following routing rule;

sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.10:3128

I have setup ACLs correctly to allow for my network (192.168.1.0/24 and for the localhost) and seem to be working, on my client machine I have setup the following IP settings;

IP Address: 192.168.1.44
Sub mask: 255.255.255.0
Gateway: 192.168.1.10
DNS: 192.168.1.10

If I point IE's proxy settings to 192.168.1.10 on port 80 all works fine, I can browse to sites no problem, however once I take the proxy settings out I am unable to browse to sites using the Hostname, but If I browse to an IP (74.125.224.72 for google) it works fine.

The Squid VM has eth1 (LAN Side) configured on the 192 and eth0 is on 10.xxx.xxx.xx (WAN Side), an upstream proxy to LSN is also setup in the squid.conf. Both my DNS Servers on the WAN side of the squid are setup in the resolv.conf file, I have also tried adding them into the squid.conf using dns_nameservers option.

No matter what I try I can't seem to be able to browse to sites using the FQDN, but can using an IP when in Transparent mode.

Any ideas would be much appreciated!

Rob

[tom_newton]

IS DNS pooched on your client machine? With a traditional proxy you can get away with it, as the proxy does lookups, with transparent, the client does lookups.

[robjcrowston]

Yep, tried putting the dns servers in squid.conf, still no luck :/

cheers,

Rob

[robjcrowston]

@tom_newton pooched? sorry I dont follow

[jinnantonnixx]

Yep, tried putting the dns servers in squid.conf, still no luck :/

cheers,

Rob

I deleted my post after I saw you'd already tried this.

[robk]

@tom_newton pooched? sorry I dont follow

Broken, fudged or otherwise not working is what I suspect Tom means.

For transparent to work the client PC needs to know where to find all websites, not just local ones.

[robjcrowston]

Okay, so DNS lookups are not working, What is best practise? should i install something like dnsmasq on my squid server to handle this? As these clients are on a different subnet they wont see our main DNS servers.

I wasnt aware that the proxy wouldnt handle lookups in Transparent mode.

Thanks,

Rob

[twin--turbo]

BIND should handle DNS on you server from a basic install.

then just set that as the DNS server on the clients.

[robjcrowston]

Fantastic! thank you! Installed BIND and its working now, Just need to figure out https now! haha

Cheers,

Rob

[twin--turbo]

https does not work through squid transparent .

or at least that used to be the case.

http://blog.davidvassallo.me/2011/03...-interception/

Sugests it may be possible.

[Duke5A]

Just need to figure out https now! haha

You're going to have a barrel of fun with this one. I eventually settled for making Squid work as a captive portal and redirecting people to a locally hosted page with directions for setting their browser to use it as a proxy instead of relying on transparent.

[robjcrowston]

ah! sounds like that isnt going to work then, All I really want https for is our OWA, Is there a simple way of directing HTTPS request to DIRECT on my squid box? so I could provide an internal link to the exchange server?

Iv had a play creating Routing Rules for this but im not having much luck!

Thanks for all your help,

Rob

[twin--turbo]

can you not just put in a proxy exception for the OWA server in the browser?

Rob

[robjcrowston]

Unfortunately not, as the reason for the Transparent Proxy is so users who bring in their own devices don't have to do any configuration of their browsers, I was hoping for something more on the lines of a Server Side exception? if thats possible

[Duke5A]

Then if all you're looking to do is make this exception for OWA then it needs to be done with iptables. What you need to do is create a rule that routes all traffic destined to the OWA server directly to it and place it higher in the list than your port 80 redirect. I can't tell you how to do this off the top of my head though; it's time to practice some Googel-Fu.