Squid Proxy server (not transparent) working on port 3128 and 80

I have a Squid Proxy server (Debian) working perfectly with authentication:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

I'd like that also client that try to get web pages using the proxy as gateway (port 80) get redirected on port 3128.

I've tried iptables:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

without luck because in that case my port 80 clients get an error:

The following error was encountered:

Invalid Request
Some aspect of the HTTP Request is invalid. Possible problems:

Missing or unknown request method
Missing URL
Missing HTTP Identifier (HTTP/1.0)
Request is too large
Content-Length missing for POST or PUT requests
Illegal character in hostname; underscores are not allowed

so I decided to simply let squid listen on both ports modifying squid.conf: 3128 and 80

http_port 80
http_port 3128

What happens?

A client regularly connecting to 3128 has to enter password and a client without proxy configured (and therefore working on port 80 because the squid is also firewall / router and gateway of our small network) can surf the internet without entering user/pass.

How can I solve the problem?

Iptables or squid.conf I don't care.

I understand that this will work but I don't want them to surf the web without authentication... I want to force everyone to authenticate.

It's a limitation and you'll have to chose being transparent or authenticate. To work with both, it needs to be on different ports. You could try NatACL(natacl.sourceforge.net), but it's pretty old stuff

The problem is just... I want to force users to authenticate. Even shutting down ip forwarding for port 80 would be fine but I can't achieve even this result... I tried: iptables -A INPUT -i eth0 -p tcp --dport 80 -j REJECT but they can surf anyway disabling proxy

If you want force users to auth, you'll need to block forward on the 80, and accept the INPUT and make the port forwarding, but you will still need to teach the users how to configure the proxy.

Official documentation about this: wiki.squid-cache.org/Features/…

Thank you for the link: I perfectly understand your point... Is mine clear? I want users to authenticate or to have internet surfing disabled... Not necessarily using squid... Let's say better: I want that the only way available to my users to surf the internet is squid on 3128, with auth. :)

And it is a prereq this auth be transparent, right? I mean, no user side configuration ok? :)

No, no! Sorry if I was unclear... All my users' browsers are already configured correctly to point to my squid on port 3128 and they authenticate without problems. I've just find out that disabling the proxy allows users to roam free on the internet and I want to prevent a smart user to achieve this kind of result :)

Ah, got it. Blocking through iptables should be enough to avoid users to forward directly: iptables -I FORWARD -i YOUR_INTERFACE -p tcp --dport 80 -j REJECT

let us continue this discussion in chat

You have to open 3129 port too: iptables -I INPUT -p tcp --dport 3129 -j ACCEPT