Re: [squid-users] squid transparent proxy + parent proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 28 May 2011 04:53:22 +1200

On 28/05/11 04:16, Phillip Evans wrote:
>> You just said this was for "for external users.". Did you mean internal/LAN
>> users? The requirements and limits are very different.
>>
> My apologies, these are internal lan users but external to the
> organisations users i.e. visitors.
>
> We want to allow them to just plug in their machines without
> configuring anything to access the internet
>
>> Also, it is unsafe to set the flags on port 3128. There are at least two
>> popular softwares around which scan port 80 and 3128 for transparent proxies
>> to abuse. Pick a random port for Squid and consider it a secret for use only
>> between squid and iptables. The main 3128 can stay open for management or
>> normal proxy traffic if you like.
>
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
>> OR
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
>
> Thanks. I'll change the proxy port once we've got it working.
>
> I tried both of the solutions in your links but neither worked.

There is something strange happening on your network.

  One of those two configs are how thousands of other networks around
the world do it and have done for most of the decade.

>
> Some more info: We have access to a normal broadband line (but can
> only use this for testing) so in the mean time i hooked up the squid
> box to this and the client could access the internet fine. I could see
> the requests in the squid access.log so I guess the port redirection
> and transparency must have been working.
>
> But when I put it back on our network and add the parent cache again
> it stops working (but still works if the client puts the squid proxy
> details in)

K. "something strange" is the bit between the wire plugged into Squid
box and the client PC.

>
> Just found out the external proxy is websense if that helps?

As I understand the situation you have now:
  * tested the link to the parent successfully.
  * tested the NAT interception on the Squid box
  * verified that client to port 3128 on the squid box is fine.
  * verified that client to random web IP port 80 does not get to the
Squid box.

Its pretty clear you have some device between Squid and the client which
is guarding port 80. Or failing to route global port 80 traffic to the
Squid box.

What is the network topology from the client all the way to Squid?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1
Received on Fri May 27 2011 - 16:53:31 MDT

This archive was generated by hypermail 2.2.0 : Fri May 27 2011 - 12:00:03 MDT