Hi Amos,
Thanks for the explanation. I switched to intercept yet once I restart
squid, I am still seeing the "No forward proxy ports configured".
The same machine later on will also be running IPtables since it has 2
NIC's in it.
Monah
On Sat, Nov 30, 2013 at 4:56 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 30/11/2013 10:26 a.m., Monah Baki wrote:
>> Hi all,
>>
>>
>> I'm trying to setup a transparent proxy squid 3.3.9 using the following URL:
>>
>>
>> http://www.broexperts.com/2013/03/squid-as-transparent-proxy-on-centos-6-4/
>>
>> What's the difference between
>>
>> http_port 3128 transparent
>
> The above expects all arriving traffic to be in HTTP port 80 origin
> server format. Used for receving intercept-proxy traffic.
>
> Also, the TCP level details are assumed to have passed through some form
> of NAT system and need to be un-NAT'd before use. In Squid since 3.2 if
> the original TCP details are not found in the NAT records some
> restrictions are placed on what happens with the request and response.
>
>
>> and
>> http_port 3128
>>
>
> This one expects all arriving traffic to be an HTTP proxy format. Used
> for receiving forward-proxy traffic.
>
>>
>> If I where to configure with http_port 3128 transparent and restart
>> squid I get in my access.log file:
>> ERROR: No forward-proxy ports configured.
>>
>> If I where to then browse, nothing happens.
>>
>> I am not running iptables by the way.
>
> iptables or some other NAT system is mandatory for getting the traffic
> to an intercept port. Squid is fetching the TCP details from the kernel
> NAT records and using that as the preferred destination on outbound
> connections.
>
> As for the tutorial. It is broken in several major ways. Which for a
> 8-line example is remarkable in itself. Consider following the official
> wiki configuration example instead
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
>
>
> * The "transparent" option has been deprecated by "intercept" option
> since 2010.
>
> * Using DNAT rules without matching SNAT rules prevents TCP reply
> packets working at all. Im not surprised half teh comments are about it
> "not working".
>
> * Having both REDIRECT and DNAT rules on the same box is overkill
> anyway. DNAT is best for machines with a static IP address, REDIRECT for
> machines with dynamically assigned IP address or if writing examples for
> complete newbies.
>
> * Using port 3128 for the intercept port is a very BAD idea. There are
> active attacks in the wild scanning for open proxy ports and intercept
> without firewall protection on the port is ripe for attack. It should be
> a secret port which you can firewall away from all access beyond the
> machine itself. Only the NAT firewall and Squid need to use it.
>
>
> HTH
> Amos
Received on Sat Nov 30 2013 - 12:33:32 MST
This archive was generated by hypermail 2.2.0 : Sat Nov 30 2013 - 12:00:05 MST