Squid 3 Transparent Proxy

Squid works for me! It's just that it can be really hard to configure seeing as it has SAMBA syndrome - ie. you can configure it to be a proxy server, or a burnt toast shooter, or a small green apricot if you like.

Both SAMBA and Squid require all sorts of advanced knowledge of the thing you are trying to get them to do, and Squid comes with defaults that make it pretty useless (to me).

Anyway, I only ever use Squid as a transparent proxy at my Internet gateway in order to provide a network-wide Internet cache. Prior to Squid 3, this required a hand-full of mysterious options, and a firewall rule to redirect outgoing traffic through Squid.

That was fine, with pages like this helping.

In Squid 3, things have been simplified, but no-one seems to have thought it necessary to update anyone on the new procedure. An important ACL rule you need is:

always_direct allow all

After MUCH PAIN, here is the full solution:

http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
acl lan src
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname lesismore.co.za
always_direct allow all
coredump_dir /var/spool/squid

This listing was generated using grep to remove comments from the config file:

grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'

You need to put the rule in Iptables as before, to redirect outgoing port 80 requests through Squid:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Things you will have to change from the above

  1. . squid.conf: acl lan src - you need to specify the IP ranges of your internal network
  2. . squid.conf: visible_hostname lesismore.co.za - you need to put your cache hostname here!
  3. . The firewall rule says eth0, assuming your internal lan facing network card is eth0. Change as needed.


I thought the always_direct directive might turn off caching, but according to the squid.conf comments:

# NOTE: This directive is not related to caching. The replies
# is cached as usual even if you use always_direct. To not cache
# the replies see no_cache.

Prior to turning on this option, the error I got was:

The requested URL could not be retrieved

While trying to retrieve the URL: http://www.toyota.co.za/

The following error was encountered:

* Unable to forward this request at this time.

This request could not be forwarded to the origin server or to any parent caches. 
    The most likely cause for this error is that:

* The cache administrator does not allow this cache to make direct connections 
    to origin servers, and
* All configured parent caches are currently unreachable.


Thanks to Mat Stace for pointing out that the line "broken_vary_encoding allow apache" is not valid as a Squid 3 directive.



Thanks for this article - it's great. Even better, I am running Squid 2.6STABLE16 
on Fedora 7 and this worked perfectly whereas the Squid 2.6 tutorials did not. I 
only changed the variables that you discussed above. My IP range is, 
which I believe is pretty common for small LANs. I also run Firestarter for a 
firewall and it doesn't seem to overwrite my port redirects in iptables 
when I restart Firestarter.

boyindia, March 4, 2008

But then your proxy is not taking care of https traffic.
How would you use Squid 3 to handle https traffic and the ip table rule to route 
traffic to squid port 3128.

Gautam, April 10, 2008

how do i configure squid to implement acl. I configured as you said but any acl is 
not working. Suppose i would like to block http://www.gmail.com. pls help me. 
you can send mail to me as (gautam2k8 At gmail)





This is the website of Leslie Viljoen. More info

log in