Squid Transparent Proxy with port 80 redirection: blank page for some sites

portredirectionsquid

I have a squid transparent proxy that's working great.

To save time on client configurations I've decided to redirect port 80 to 3128 so I can configure for all clients the new proxy just changing gateway in dhcp server.
It went well, I've used this rule:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Now I can surf the internet from clients without problems but it seems I can't open some websites, like gmail.

It loads for ages and then I get a blank page.

If I set manually proxy values in the browser it works without problems.
Using port redirection work for some sites but won't work for others…

What's wrong?

edit:

Reading here and there I see that is a common problem solved in various (and difficult) ways like this: http://www.rahulpahade.com/content/squid-transparent-proxy-over-ssl-https

I'd need simple commands so let https traffic go straight to the internet…
How can I achieve this?

Best Answer

What about packets that leave your LAN through other ports? Are you dropping them?

If yes, I believe you also need to redirect the packets that go through port 443 (https) to the proxy or accept them before you drop the rest.

Also redirect https to the proxy: iptables -t nat -A PREROUTING -i eth0 -p tcp --dports 80,443 -j REDIRECT --to-port 3128

HTTPs going straight to the internet: Before your redirect rule, add this: -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j [RETURN or ACCEPT (choosing between return and accept will depend on the rest of your firewall)].

In case you've done that already, try to check the squid logs to see what they say.

Finally, it'd be of great help if you post your all your rules here.

Related Solutions

Iptables – Transparent Proxy with Squid / iptables

If I understand you correctly, what you want to do isn't going to be handled simply by configuring iptables. The REDIR target can only be used to target processes running on the local system. I believe attempting to use a DNAT target to forward the to the remote squid box would remove some of the information the remote squid box needs to properly handle the request

If you allow me to guess a bit. I think you are trying to leave the default gateway as 192.168.1.1 on your host and then send your port 80 traffic across the vpn right?

The remote squid needs some configuration so that it can actually act as a transparent proxy. If you can setup the correct iptables redirection on the squid host, and the remote host is in the network path, then it is possible to do use some advanced routing to forward all port 80 requests across the vpn.

P.S. If I am understanding your needs correctly add a comment, I can update my answer with more details about how to setup routing.

Firewall – How to configure PFSense firewall with external transparent Squid proxy

SO in PF you have to do the following:

int_if="fxp0"
ext_if="em0"

rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128

pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state

Be sure that your SQUID has the transparent module when you compiled it, or the package is transparent enabled you are using.

Best Answer

Related Solutions

Iptables – Transparent Proxy with Squid / iptables

Firewall – How to configure PFSense firewall with external transparent Squid proxy

Related Topic