Comments on: How to Setup Transparent Squid Proxy Server in Ubuntu

By: Keith

Keith — Tue, 29 Nov 2011 17:39:12 +0000

Can anyone help me, I have a very unique need for special Squid config.
I am setting up a Linux (Ubuntu) with Squid (a proxy server).
Basically we want to run 10K proxies on one linux box, only a handful would ever be in use at any one time so the throughput is not an issue.
Basically each “proxy” would be bound to the same IP but on a different port of that IP. Each port would redirect to (transparent proxy) one of our outbound IP addresses. So essentially you could change the IP address of your machine by simply changing the port of your proxy settings in your browser.
ALA
Proxy1 192.168.0.100:10000 redirects to 208.xxx.xxx.1
Proxy1 192.168.0.100:10001 redirects to 208.xxx.xxx.2
Proxy1 192.168.0.100:10002 redirects to 208.xxx.xxx.3
Proxy1 192.168.0.100:10003 redirects to 208.xxx.xxx.4
Proxy1 192.168.0.100:10004 redirects to 208.xxx.xxx.5
And so on xxx just there to hide real IP space

By: ecco

ecco — Mon, 04 Jul 2011 13:02:52 +0000

Hello. This guide get me the solution to work now with a web proxy in my network! Thank You!

By: Bipin Bahuguna

Bipin Bahuguna — Sat, 25 Jun 2011 23:25:25 +0000

Hi,

I am configuring Squid as a Reverse Proxy With caching Enable For remote apache server.

Buts Hits Are Going to Main Apache Server.
How can i enable caching For that Remote Server.

Below is the details of scenario:

proxy.com this is the server where i have configured proxy machine (10.0.0.1)

And My Apache is installed on (10.0.0.1) with site name (main.com)

But unable to caching ..

Any Help Will Be appreciate.

Thanks,
Bipin Bahuguna

By: mashuk

mashuk — Wed, 08 Jun 2011 10:10:57 +0000

Hi,

i want to setup a proxy server plz setup setup by setup command mail me.

mashuk

By: Map007

Map007 — Wed, 24 Nov 2010 03:55:25 +0000

Hi,

And i want to monitor all the logs (i.e. ftp, p2p softwares,IM etc.. ) under my squid server.

How it is possible ?

Thanks,

By: Map007

Map007 — Wed, 24 Nov 2010 03:53:46 +0000

Hi,

Authentication doesn’t work with Transparent proxy….
Is there any other way ?

Thanks,

By: Jayson D. Martinez

Jayson D. Martinez — Tue, 22 Jun 2010 05:06:07 +0000

Complete Steps in Setting up UBUNTU Server 10 with SQUID 3 as a Transparent Proxy.

Step 1. Install the Ubuntu Server 10, include LAMP if you want

Step 2. Change the network interfaces from dhcp to static

Sudo nano /etc/network/interfaces

auto eth0
iface eth0 inet static
address 192.168.1.250
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.88

post-up iptables-restore < /etc/iptables.up.rules

auto eth1
iface eth1 inet static
address 192.168.2.1
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255

Step 3. Install Web Admin (webmin) (Optional)

wget http://prdownloads.sourceforge.net/webadmin/webmin_1.510-2_all.deb
dpkg --install webmin_1.510-2_all.deb
sudo apt-get -f install

https://localhost-IP ADDRES:10000

*Note Make sure you give permission to the IPTABLES ruleset to for you to access webmin over the net.

Step 4. Install ClamAV and ClamAV-freshclam

sudo apt-get install clamav clamav-freshclam

Step 5. The first step is to install squid 3

apt-get install squid3

edit the squid 3 configuration file in your favorite editor

sudo nano /etc/squid3/squid.conf

and set the transparency and the allowed hosts

http_port 3128 transparent
acl our_networks src 192.168.2.0/24
acl localnet src 127.0.0.1/255.255.255.255
http_access allow our_networks
http_access allow localnet

where 192.168.2.0/24 is the IP range of local network. Probably you need to adjust the swap size

cache_dir ufs /var/spool/squid3 7000 16 256

where the first number denotes the size of cache in megabytes. Save you changes and restart the squid proxy by

sudo /etc/init.d/squid3 restart

Step 6. Edit the /etc/sysctl.conf

Sudo nano /etc/sysctl.conf

Uncomment the line that enable packet forwarding for IPv4 and IPv6
Net.ipv4.ip_forward = 1
Net.ipv6.conf.all.forwarding = 1

Step 7. Edit the IPTABLE ruleset of NAT and FILTER

Sudo nano /etc/iptables.up.rules

*nat

-A PREROUTING –i eth1 –p tcp –m tcp --dport 80 –j DNAT --to-destination 192.168.2.1:3128
-A PREROUTING –i eth1 –p tcp –m tcp --dport 80 –j REDIRECT --to-ports 3128
-A POSTROUTING –s 192.168.2.0/24 –o eth0 –j MASQUERADE

*filter

-A INPUT –i lo –j ACCEPT
-A INPUT –m state –i eth0 –state REALATED,ESTABLISHED –j ACCEPT
-A INPUT eth1 –j ACCEPT
-A INPUT –p tcp –m tcp --dport 22 –j ACCEPT # permit ssh using putty
-A INPUT –p tcp –m tcp --dport 10000 –j ACCEPT # permit webmin access
-A INPUT –j LOG
-A INPUT –j DROP
-A FORWARD –i eth1 –j ACCEPT
-A OUTPUT –o lo –j ACCEPT
-A OUTPUT –o eth1 –j ACCEPT
-A FOWARD –o eth1 –j ACCEPT
-A FORWARD –s 192.168.2.0/24 –o eth0 –j ACCEPT
-A FORWARD –d 192.168.2.0/24 –m state --state ESTABLISHED,REALTED –I eth0 –j ACCEPT

STEP 8. Edit rc.local

Sudo nano /etc/rc.local

iptables -t nat -A POSTROUTING -s 192.168.2.0/24 –o eth0 -j MASQUERADE

Step 9. reboot the server

Step 10. Configure the workstation for static IP Address making the LAN IP of the Ubuntu box as the gateway. Make sure that the IP Address of the work station is within the network you setup.

By: Ravi

Ravi — Tue, 01 Jun 2010 07:36:15 +0000

how to setup transpernet squid proxy server in ubuntu

By: Douglas

Douglas — Mon, 17 May 2010 02:21:39 +0000

Fixed my problems

# Squid normally listens to port 3128
http_port 3128 transparent

By: Adam

Adam — Wed, 05 May 2010 08:50:43 +0000

Hello all,
I am using squid3.0 on Ubuntu server
I am having one particular problem, if anyone here can help me with please. here it is:

I can ssh the machine on which the proxy runs, but I cannot access the backend servers(machines) via ssh.

Let’s say the proxy machine itself has the ssh 22xx
and the other three machines in the back end have each a different SSH port number example.

Proxy machine SSH 2222 works
Machine1 SSH 2223 doesn’t work
Machine2 SSH 2224 doesn’t work
Machine3 SSH 2225 doesn’t work

I mean the access is refused
Even though through my router Cisco/Linksys I have forwarded SSH requests to each of these machines

I even added the above ports as Safe_ports in my squid config but still can’t access them.

Any suggestions or ideas would be very much appreciated.

I have posted on the userssquid mailing list but nobody replied or even tried to help me with it.

Thank you all

By: TorrentialStorm

TorrentialStorm — Tue, 04 May 2010 14:53:13 +0000

All you need for transparent:
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.3:3128
Remember to change the interface & IP/port.

with squid v2.7 you just need to add “transparent” to http_port.

squid.conf:
# Squid normally listens to port 3128
http_port 3128 transparent

Working on lucid.

By: KenWeiLL

KenWeiLL — Tue, 04 May 2010 06:35:37 +0000

I have 2 interfaces:
eth0 = connected to WAN (with internet connection)
eth1 = LAN (192.168.0.1)

Setting up proxy server. All windows box in LAN have proxy settings to 192.168.0.1:3128

My iptables rule to share internet connection is:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

if i want to do transparent proxy? do i have to edit that rule? or add a new rule(without touching my current iptables rule)?

By: Advanced

Advanced — Fri, 19 Feb 2010 03:44:35 +0000

Hi,
I have about three websites on one machine,
I am using a router, all my local network is behind a router, but because 3 websites on one machine I realised that it was a bit too much for the machine.

I then decided to use a proxy server on one machine, and use three other machine each will hold it’s own website, domain name, and database.

meaning serving three different websites from three different machines on the same network.

My confusion is this:
I hear that the proxy server listens on port 3128
Now let’s say I have websites A, B, C on M1, M2, M3

How can serve these three websites with the proxy server??
people can’t type http://mydomain-name.com:3128 every-time, I am sure we can configure it so people will access the website by simply typing http://www.mysite.com etc… any ideas please?

Thank you guys

By: win naing myint

win naing myint — Sun, 14 Feb 2010 03:16:23 +0000

this following command are not working in my PC. so please give me some commmand

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.1:5050
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 5050

By: Boomerang

Boomerang — Fri, 29 Jan 2010 10:09:50 +0000

Thanks for the comment Shawn, I have tried a few things since posting my query including installing a Windows Server 2003 version but I couldn’t make it work. I am very interested in getting more info from you on this subject as I have not had any replies or found a solution to my problem. Could I contact you through another way eg email direct? I will post my email up if you would like me to. I look forward to your reply. Boomer

By: Shawn

Shawn — Wed, 27 Jan 2010 21:27:01 +0000

Yes, squid can be a caching proxy for clients on a LAN, using a single NIC. We’ve used this setup for over 10 years for our 600 users, and it works very well. It authenticates to AD for each request, provides all http/https traffic to our 1Gb internet link. With more wireless devices coming online, we are looking to replace it with a transparent proxy to avoid the need for client setup, although we will lose the auth capability.

By: Boomerang

Boomerang — Thu, 17 Dec 2009 08:43:49 +0000

Can Squid be used as a cahing proxy (or similar)on a Ubuntu machine with only one Network card? In other words simply sitting in amongst all the other clients on the LAN side of the Router? If so, can some one point me to any info on this please. Ta, Boomer.

By: Peter

Peter — Thu, 10 Sep 2009 16:29:08 +0000

Thank you
# so good even I could {eventually} follow the instructions.
Pity I can’t get it to NAT all protocols and log them.

By: Baghathsingh

Baghathsingh — Sat, 11 Jul 2009 07:59:15 +0000

i want to configure the squid proxy server.
now i tried to install the squid in my server. its installed. i have made the changes but its not working properly.below i have mentioned the error message. help me

root@srv1:~# /etc/init.d/squid restart
* Restarting Squid HTTP proxy squid * Waiting… * … * … * … * … * … * … [ OK ]
2009/07/11 13:28:03| decode_addr: Invalid IP address ’80′
2009/07/11 13:28:03| squid.conf line 18: acl www_ports src 80 443
2009/07/11 13:28:03| aclParseIpData: Ignoring invalid IP acl entry: unknown first address ’80′
2009/07/11 13:28:03| decode_addr: Invalid IP address ’443′
2009/07/11 13:28:03| squid.conf line 18: acl www_ports src 80 443
2009/07/11 13:28:03| aclParseIpData: Ignoring invalid IP acl entry: unknown first address ’443′
2009/07/11 13:28:03| aclParseAclLine: WARNING: empty ACL: acl www_ports src 80 443
2009/07/11 13:28:03| aclParseIpData: WARNING: Netmask masks away part of the specified IP in ’192.168.1.2/192.168.1.253′
2009/07/11 13:28:03| parseConfigFile: squid.conf:33 unrecognized: ‘HTTP’
2009/07/11 13:28:03| aclParseIpData: WARNING: Netmask masks away part of the specified IP in ’192.168.1.2/192.168.1.253′
2009/07/11 13:28:03| parseConfigFile: squid.conf:38 unrecognized: ‘FTP’
2009/07/11 13:28:03| aclParseIpData: WARNING: Netmask masks away part of the specified IP in ’192.168.1.2/192.168.1.25′
2009/07/11 13:28:03| WARNING: ’192.168.1.0/192.168.1.253′ is a subnetwork of ’0.0.0.0/0.0.0.0′
2009/07/11 13:28:03| WARNING: because of this ’0.0.0.0/0.0.0.0′ is ignored to keep splay tree searching predictable
2009/07/11 13:28:03| WARNING: You should probably remove ’192.168.1.0/192.168.1.253′ from the ACL named ‘all’
2009/07/11 13:28:03| WARNING: ’192.168.1.0/255.255.255.0′ is a subnetwork of ’192.168.1.0/255.255.255.0′
2009/07/11 13:28:03| WARNING: because of this ’192.168.1.0/255.255.255.0′ is ignored to keep splay tree searching predictable
2009/07/11 13:28:03| WARNING: You should probably remove ’192.168.1.0/255.255.255.0′ from the ACL named ‘internal_network’
2009/07/11 13:28:03| WARNING: ’127.0.0.1′ is a subnetwork of ’127.0.0.1′
2009/07/11 13:28:03| WARNING: because of this ’127.0.0.1′ is ignored to keep splay tree searching predictable
2009/07/11 13:28:03| WARNING: You should probably remove ’127.0.0.1′ from the ACL named ‘localhost’
[ OK ]

By: achulxp

achulxp — Sat, 07 Mar 2009 00:35:33 +0000

to-->>>@iniabasi

if.you.really.use.squid.version.2,6.x.above
try.this one…add.-------->>”transparent” beside your http_port
##########################################
# Squid normally listens to port 3128
http_port 3128 transparent
##########################################

and.dont.use.this.script
##########################################
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
##########################################

coz.i.knew.that.work.only.on.squid.ver.2.5.x.x