squid 2.6 transparent proxy

In case you used squid 2.5 to create a transparent proxy and you decided to switch to 2.6 or this is the first time you try to set up a transparent proxy and most/all of the tutorials out there are for squid 2.5 here is a brief howto for this setup.

In squid 2.6 the configuration options:
httpd_accel_host
httpd_accel_port
httpd_accel_with_proxy
httpd_accel_uses_host_header
are not defined anymore ( see squid 2.6 release notes ), so if you are using them in your config file squid will give you an error like "parseConfigFile: line 41 unrecognized: 'httpd_accel_host virtual'" and will refuse to start.

To activate transparent proxy in squid 2.6 all you have to do is use the "tranparent" option on http_port. Something like:

http_port 3128 transparent

Of course squid has to be compiled with transparent proxy support for netfilter (iptables) by adding --enable-linux-netfilter to the ./configure line, the linux kernel needs to be compiled with netfilter and you will also need a rule in iptables that will redirect packets from your local network interface with a destination port 80 to the port squid is listening on.

Assuming your local network interface is eth1 and squid listens on port 3128 here is the rule that has to be added to iptables:

iptables -A PREROUTING -i "eth1" -p tcp –dport 80 -j REDIRECT –to-port 3128

16 thoughts on “squid 2.6 transparent proxy

  1. But that not make the cache work, i search for months how to make transparent and cache proxy in 2.6 but no solution, lol, i return to 2.4 version cause that…

  2. if the redirect don’t work, try this:

    iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128

  3. Hey guys,

    I just came across this proxy and was wondering if you guys can help me out. I have the classic 192.168.0.0 subnet running at my organization with a hardware router that is also the gateway. I’ve been trying to get squid 2.6, running on Debian Etch with kernel 2.6, but with no success. I’ve gotten it to work by setting my IE to use a proxy but it doesn’t seem to want to work transparently. I’ve entered the iptables entry but still, same result. My setup is below:

    Compaq EN 1ghz, 512MB Ram with onboard Intel nic
    Installed Debian Etch from netinst CD with no packages.
    Configure Nic with IP 192.168.0.250 255.255.255.0 gw192.168.0.2 dns 4.2.2.1
    Did apt-get install squid
    Configured squid.conf:
    http_port 3128 transparent
    acl lan src 192.168.0.0/24
    http_access allow localhost
    http_access allow lan

    Iptables entry:
    iptables -t nat -A PREROUTING -i eth0 -p tcp -dport 80 -j REDIRECT -to-port
    3128

    Can someone help me figure this out?

    Thanks,

  4. do you have ip forwarding enabled ?
    cat /proc/sys/net/ipv4/ip_forward should show 1. if not then : echo 1 > /proc/sys/net/ipv4/ip_forward
    and if you want this to work after a reboot put it somewhere like rc.local or /etc/sysctl.conf

  5. Hey Mihai,

    Ok so I’ve done the cat /proc/sys/net/ipv4/ip_forward thing and I not have ip forwarding on. I also made sure that the iptables entry is correct.

    I still cannot do transparent proxy. It only works when I manually set IE to use a proxy. Any ideas?

  6. did you also do : echo 1 > /proc/sys/net/ipv4/ip_forward
    ?

    if you run iptables -t nat -L -n -v does it show any packets matching the iptables rule that you added to PREROUTING ?

  7. Hey Mihai,

    I appreciate the help bro. I edited my sysctl.conf file and added net.ipv4.ip_forward = 1
    to it. So whenever I reboot, it automatically turns on ip forwarding. So I am not doing ehco 1 > /proc/sys/net/ipv4/ip_forward.

    When I run iptables -t nat -L -n -v, this is what I get:

    Chain PREROUTING (policy ACCEPT 4 packets, 192 bytes)
    pkts bytes target prot opt in out source destination
    0 0 REDIRECT tcp — eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128

  8. This machine has to act as the gateway for your local network. Do you have it configured this way? do you have a rule in the POSTROUTING chain for doing SNAT or something like that ? does that work ?

  9. Oh so it will not work if it’s not the gateway? I have it set as a node on my lan because I have a hardware firewall, a Netopia Router. Do you know of anyway to make transparent proxy work in this type of scenerio?

  10. Of course it will not work. How would it be able to redirect packets to squid if the packets don’t even get to it?
    You can set this as the gateway and still use your hardware router, but you have to add another rule to POSTROUTING.

    iptables -t nat -A POSTROUTING -o $EXT_IF -s $LOCAL_NET -d ! $LOCAL_NET -j SNAT –to $EXT_IP
    $EXT_IF is your external interface ( the interface linked to the hardware router in your case )
    $LOCAL_NET is 192.168.0.0/24 in your case
    $EXT_IP is the ip assigned to your external interface ( 192.168.0.250 ? )

    you can use just one interface if you want and it can act as both an external and internal interface but you have to set it up to have two different ips ( in two different classes ) one for connecting to the hardware router and the other for your local network.
    You also have to set your workstations on your lan to have an ip in the same class as the one you set on your server for the local interface, and make the workstations use the server’s ip as the gateway not the hardware router.

  11. Rocky, you might be able to make it work in your scenario.
    You may be able to use WCCP or policy based routing.

    For WCCP you have to have a WCCP capable device in the path of the web traffic.
    So if either your firewall or router can do this, have a look at the squid wiki and the docs for the router for setting up WCCP.
    I have it working with a cisco, works fine and isnt too hard to set up.

    Policy routing is then you match traffic based on source, destination or port (or other things), then do something special to it.
    An example of this would be to match all web traffic passing through your router destined for an external address, you then redirect that traffic to your squid box. This all depends on how smart your router is.

    In either of these the squid box does not need to be in the direct path to see all your traffic, you just need one of your existing devices to have one or both of the above so it can flick web traffic to squid and send the rest the usual way.

  12. Guys

    The names of the directives seem to have changed in squid 2.6. Look at the comments in /etc/squid/squid.conf regarding transparent mode. Also see the sections pertaining to squid 2.6 in the second document:

    http://wiki.squid-cache.org/SquidFaq/InterceptionProxy

    even i was struggling with a transperant proxy with squid 2.6 and i am still strugling with it ! perhaps the default squid that comes with 10.3 isnt configured to be trasperant – i know this sounds lame but what else could be the solution….

    httpd_accel commands are throwing errors , pre-routing and post routing doesnt work – i dont see no other justified answer to this other that – squid need to be compiled again with –enable-linux-netfilter

  13. the configurations work fine for me but i have to start with
    http_port 192.168.0.1:3128 transparent
    otherwise the settings are fine,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.