Squid Proxy server (not transparent) working on port 3128 and 80
Put the transparent proxy to listen at the 3129 port, and redirect every request to it comming on the 80 port:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -I INPUT -p tcp --dport 3128 -j ACCEPT
Squid.conf:
http_port 3128
http_port 3129 transparent
This way, transparent proxy will be the default option, and, people that uses it authenticated, have to configure proxy:3128 on their browsers.
Related videos on Youtube
Pitto
Updated on September 18, 2022Comments
-
Pitto over 1 year
I have a Squid Proxy server (Debian) working perfectly with authentication:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
I'd like that also client that try to get web pages using the proxy as gateway (port 80) get redirected on port 3128.
I've tried iptables:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
without luck because in that case my port 80 clients get an error:
The following error was encountered: Invalid Request Some aspect of the HTTP Request is invalid. Possible problems: Missing or unknown request method Missing URL Missing HTTP Identifier (HTTP/1.0) Request is too large Content-Length missing for POST or PUT requests Illegal character in hostname; underscores are not allowed
so I decided to simply let squid listen on both ports modifying squid.conf: 3128 and 80
http_port 80 http_port 3128
What happens?
A client regularly connecting to 3128 has to enter password and a client without proxy configured (and therefore working on port 80 because the squid is also firewall / router and gateway of our small network) can surf the internet without entering user/pass.
How can I solve the problem?
Iptables or squid.conf I don't care.
-
Zoredache about 11 yearsI am having a difficult time trying to figure out what you want here.
-
Pitto about 11 yearsI want to force all users to authenticate... right now if they disable proxy they can surf freely
-
-
Pitto about 11 yearsI understand that this will work but I don't want them to surf the web without authentication... I want to force everyone to authenticate.
-
Admin about 11 yearsIt's a limitation and you'll have to chose being transparent or authenticate. To work with both, it needs to be on different ports. You could try NatACL(natacl.sourceforge.net), but it's pretty old stuff
-
Pitto about 11 yearsThe problem is just... I want to force users to authenticate. Even shutting down ip forwarding for port 80 would be fine but I can't achieve even this result... I tried: iptables -A INPUT -i eth0 -p tcp --dport 80 -j REJECT but they can surf anyway disabling proxy
-
Admin about 11 yearsIf you want force users to auth, you'll need to block forward on the 80, and accept the INPUT and make the port forwarding, but you will still need to teach the users how to configure the proxy.
-
Admin about 11 yearsOfficial documentation about this: wiki.squid-cache.org/Features/…
-
Pitto about 11 yearsThank you for the link: I perfectly understand your point... Is mine clear? I want users to authenticate or to have internet surfing disabled... Not necessarily using squid... Let's say better: I want that the only way available to my users to surf the internet is squid on 3128, with auth. :)
-
Admin about 11 yearsAnd it is a prereq this auth be transparent, right? I mean, no user side configuration ok? :)
-
Pitto about 11 yearsNo, no! Sorry if I was unclear... All my users' browsers are already configured correctly to point to my squid on port 3128 and they authenticate without problems. I've just find out that disabling the proxy allows users to roam free on the internet and I want to prevent a smart user to achieve this kind of result :)
-
Admin about 11 yearsAh, got it. Blocking through iptables should be enough to avoid users to forward directly: iptables -I FORWARD -i YOUR_INTERFACE -p tcp --dport 80 -j REJECT
-
Pitto about 11 years
-
Pol Hallen about 9 yearsYou have to open 3129 port too: iptables -I INPUT -p tcp --dport 3129 -j ACCEPT