transparent-proxy questions - Page 1

Jaime Roman

Asked: 2019-12-12 21:12:27 +0800 CST

Squid as cache proxy

0

The only internet connection I have is through mobile data, although I have an unlimited use in the browsers for the cache, to optimize the bandwidth and not have to be downloading the css and js files again maybe because of the time of expiration that the sites have defined. I would like to install a squid to navigate through the squid and maybe so I can increase the cache and optimize my data connection. I have searched the net and I have seen very good reviews about this, but I am not sure that it is a good idea and that it is really worth it, please, I need an opinion, if someone has already done something similar.

ElToro1966

Asked: 2018-03-15 04:23:15 +0800 CST

Squid3 - Cannot write log file

2

Have trouble starting a newly installed squid (Squid 3.5.27 on Linux ubuntu-server 4.13.0-36-generic). Keep getting:

$ squid
WARNING: Cannot write log file: /var/log/squid/cache.log
/var/log/squid/cache.log: Permission denied
         messages will be sent to 'stderr'.

I have altered the permissions as follows (as per comments):

$ sudo chmod 644 /var/log/squid/cache.log
$ namei -l /var/log/squid/cache.log
f: /var/log/squid/cache.log
drwxr-xr-x root  root   /
drwxr-xr-x root  root   var
drwxrwxr-x root  syslog log
drwxr-xr-x proxy proxy  squid
-rw-r--r-- 755   proxy  cache.log

The user proxy is right? Have seen user squid referred to in some posts, but in the servers /etc/passwd, only the user proxy is shown. After the changes, running squid with debug options:

$ squid -NCd1
WARNING: Cannot write log file: /var/log/squid/cache.log
/var/log/squid/cache.log: Permission denied
         messages will be sent to 'stderr'.
2018/03/14 13:55:57| Set Current Directory to /var/cache/squid
WARNING: Cannot write log file: /var/log/squid/cache.log
/var/log/squid/cache.log: Permission denied
         messages will be sent to 'stderr'.
2018/03/14 13:55:57| WARNING: Closing open FD    2
2018/03/14 13:55:57| Starting Squid Cache version 3.5.27 for x86_64-pc-linux-gnu...
2018/03/14 13:55:57| Service Name: squid
2018/03/14 13:55:57| Process ID 4200
2018/03/14 13:55:57| Process Roles: master worker
2018/03/14 13:55:57| With 1024 file descriptors available
2018/03/14 13:55:57| Initializing IP Cache...
2018/03/14 13:55:57| DNS Socket created at [::], FD 8
2018/03/14 13:55:57| DNS Socket created at 0.0.0.0, FD 9
2018/03/14 13:55:57| Adding nameserver 127.0.0.53 from /etc/resolv.conf
2018/03/14 13:55:57| Adding domain WORKGROUP from /etc/resolv.conf
2018/03/14 13:55:57| Logfile: opening log daemon:/var/log/squid/access.log
2018/03/14 13:55:57| Logfile Daemon: opening log /var/log/squid/access.log
2018/03/14 13:55:57| WARNING: no_suid: setuid(0): (1) Operation not permitted
2018/03/14 13:55:57| Store logging disabled
2018/03/14 13:55:57| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2018/03/14 13:55:57| Target number of buckets: 1008
2018/03/14 13:55:57| Using 8192 Store buckets
2018/03/14 13:55:57| Max Mem  size: 262144 KB
2018/03/14 13:55:57| Max Swap size: 0 KB
2018/03/14 13:55:57| Using Least Load store dir selection
2018/03/14 13:55:57| Set Current Directory to /var/cache/squid
2018/03/14 13:55:57| Finished loading MIME types and icons.
2018/03/14 13:55:57| HTCP Disabled.
fopen: Permission denied
2018/03/14 13:55:57| WARNING: no_suid: setuid(0): (1) Operation not permitted
2018/03/14 13:55:57| Pinger socket opened on FD 16
2018/03/14 13:55:57| /var/run/squid.pid: (13) Permission denied
2018/03/14 13:55:57| Closing HTTP port [::]:3128
2018/03/14 13:55:57| Closing HTTPS port [::]:3130
FATAL: Could not write pid file
Squid Cache (Version 3.5.27): Terminated abnormally.
CPU Usage: 0.034 seconds = 0.022 user + 0.011 sys
Maximum Resident Size: 76608 KB
Page faults with physical i/o: 0
2018/03/14 13:55:57| pinger: Initialising ICMP pinger ...
2018/03/14 13:55:57|  icmp_sock: (1) Operation not permitted
2018/03/14 13:55:57| pinger: Unable to start ICMP pinger.
2018/03/14 13:55:57|  icmp_sock: (1) Operation not permitted
2018/03/14 13:55:57| pinger: Unable to start ICMPv6 pinger.
2018/03/14 13:55:57| FATAL: pinger: Unable to open any ICMP sockets.
Aborted (core dumped)

Using the proxy user for debugging (per comments), I get:

$ sudo -u proxy squid -NCd1
2018/03/14 16:00:50| Set Current Directory to /var/cache/squid
2018/03/14 16:00:50| Starting Squid Cache version 3.5.27 for x86_64-pc-linux-gnu...
2018/03/14 16:00:50| Service Name: squid
2018/03/14 16:00:50| Process ID 4468
2018/03/14 16:00:50| Process Roles: master worker
2018/03/14 16:00:50| With 1024 file descriptors available
2018/03/14 16:00:50| Initializing IP Cache...
2018/03/14 16:00:50| DNS Socket created at [::], FD 9
2018/03/14 16:00:50| DNS Socket created at 0.0.0.0, FD 10
2018/03/14 16:00:50| Adding nameserver 127.0.0.53 from /etc/resolv.conf
2018/03/14 16:00:50| Adding domain WORKGROUP from /etc/resolv.conf
2018/03/14 16:00:50| Logfile: opening log daemon:/var/log/squid/access.log
2018/03/14 16:00:50| Logfile Daemon: opening log /var/log/squid/access.log
2018/03/14 16:00:50| WARNING: no_suid: setuid(0): (1) Operation not permitted
2018/03/14 16:00:50| Store logging disabled
2018/03/14 16:00:50| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2018/03/14 16:00:50| Target number of buckets: 1008
2018/03/14 16:00:50| Using 8192 Store buckets
2018/03/14 16:00:50| Max Mem  size: 262144 KB
2018/03/14 16:00:50| Max Swap size: 0 KB
2018/03/14 16:00:50| Using Least Load store dir selection
2018/03/14 16:00:50| Set Current Directory to /var/cache/squid
2018/03/14 16:00:50| Finished loading MIME types and icons.
2018/03/14 16:00:50| HTCP Disabled.
2018/03/14 16:00:50| WARNING: no_suid: setuid(0): (1) Operation not permitted
2018/03/14 16:00:50| Pinger socket opened on FD 17
2018/03/14 16:00:50| /var/run/squid.pid: (13) Permission denied
2018/03/14 16:00:50| Closing HTTP port [::]:3128
2018/03/14 16:00:50| Closing HTTPS port [::]:3130
FATAL: Could not write pid file
Aborted

Adding a squid.pid with chown proxy, gives me a running squid:

$ sudo -u proxy squid -NCd1
2018/03/14 16:10:54| Set Current Directory to /var/cache/squid
2018/03/14 16:10:54| Starting Squid Cache version 3.5.27 for x86_64-pc-linux-gnu...
2018/03/14 16:10:54| Service Name: squid
2018/03/14 16:10:54| Process ID 4520
2018/03/14 16:10:54| Process Roles: master worker
2018/03/14 16:10:54| With 1024 file descriptors available
2018/03/14 16:10:54| Initializing IP Cache...
2018/03/14 16:10:54| DNS Socket created at [::], FD 9
2018/03/14 16:10:54| DNS Socket created at 0.0.0.0, FD 10
2018/03/14 16:10:54| Adding nameserver 127.0.0.53 from /etc/resolv.conf
2018/03/14 16:10:54| Adding domain WORKGROUP from /etc/resolv.conf
2018/03/14 16:10:54| Logfile: opening log daemon:/var/log/squid/access.log
2018/03/14 16:10:54| Logfile Daemon: opening log /var/log/squid/access.log
2018/03/14 16:10:54| WARNING: no_suid: setuid(0): (1) Operation not permitted
2018/03/14 16:10:54| Store logging disabled
2018/03/14 16:10:54| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2018/03/14 16:10:54| Target number of buckets: 1008
2018/03/14 16:10:54| Using 8192 Store buckets
2018/03/14 16:10:54| Max Mem  size: 262144 KB
2018/03/14 16:10:54| Max Swap size: 0 KB
2018/03/14 16:10:54| Using Least Load store dir selection
2018/03/14 16:10:54| Set Current Directory to /var/cache/squid
2018/03/14 16:10:54| Finished loading MIME types and icons.
2018/03/14 16:10:54| HTCP Disabled.
2018/03/14 16:10:54| WARNING: no_suid: setuid(0): (1) Operation not permitted
2018/03/14 16:10:54| Pinger socket opened on FD 17
2018/03/14 16:10:54| Squid plugin modules loaded: 0
2018/03/14 16:10:54| Adaptation support is off.
2018/03/14 16:10:54| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 14 flags=9
2018/03/14 16:10:54| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3130 remote=[::] FD 15 flags=41
2018/03/14 16:10:55| storeLateRelease: released 0 objects

Edited per comments.

ayanamist

Asked: 2012-02-09 07:08:56 +0800 CST

Are there any alternatives to tsocks that support HTTPS proxy?

2

tsocks is using LD_PRELOAD environment variable to inject into other applications.

I can only access the internet via a HTTPS proxy, however tsocks only supports socks proxy.

So is there any alternative that supports HTTPS proxy like proxifier for windows?

Jon

Asked: 2010-09-11 14:55:15 +0800 CST

IPTables issue with Squid as transparent proxy

3

I have an Ubuntu (10.04) machine that is running my firewall, dhcp and dns. I just installed squid from packages and set it to run on port 8888. Before any changes to my firewall the webpages will work normally, if I manually set a proxy to 192.168.10.1:8888 on firefox it works. The issue happens when I try and turn squid into a transparent proxy.

My firewall is as follows:

#!/bin/sh

iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
depmod="/sbin/depmod"

EXTIF="eth1"
INTIF="eth2"

load () {

    $depmod -a

    $modprobe ip_tables
    $modprobe ip_conntrack
    $modprobe ip_conntrack_ftp
    $modprobe ip_conntrack_irc
    $modprobe iptable_nat
    $modprobe ip_nat_ftp
    $modprobe ip_conntrack_pptp
    $modprobe ip_nat_pptp

echo "enable forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "enable dynamic addr"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#  start firewall

    #default policies
    $iptables -P INPUT DROP
    $iptables -F INPUT
    $iptables -P OUTPUT DROP
    $iptables -F OUTPUT
    $iptables -P FORWARD DROP
    $iptables -F FORWARD
    $iptables -t nat -F


echo "  opening loopback interface for socket based services."
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

echo "  allow GRE 47 for VPN"
$iptables -A INPUT -p 47 -j ACCEPT

echo "  allow all connections OUT and ONLY existing related ones IN"
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -o $EXTIF -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$iptables -A FORWARD -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "

echo "  enabling SNAT (MASQUERADE) functionality on $EXTIF - allow LAN internet access"
$iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A OUTPUT -o $INTIF -j ACCEPT

echo "  Allowing packets with ICMP data (pings)"
$iptables -A INPUT -p icmp -j ACCEPT
$iptables -A OUTPUT -p icmp -j ACCEPT

$iptables -A INPUT -p udp -i $INTIF --dport 67 -m state --state NEW -j ACCEPT

echo "  port 137 for netBios"
$iptables -A INPUT -i $INTIF -p udp --dport 137 -j ACCEPT
$iptables -A OUTPUT -o $INTIF -p udp --dport 137 -j ACCEPT

#echo "  port 139 for netBios-ssn smb"
#$iptables -A INPUT -i $INTIF -p tcp --dport 139 -j ACCEPT
#$iptables -A OUTPUT -o $INTIF -p tcp --dport 139 -j ACCEPT

echo "  opening port 53 for DNS queries"
$iptables -A INPUT -p udp -i $EXTIF --sport 53 -j ACCEPT

echo "  opening port 22 for internal ssh"
$iptables -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT

echo "  opening port 80 for webserver"
$iptables -A INPUT -p tcp -i $EXTIF --dport 80 -m state --state NEW -j ACCEPT

echo "  opening port 21 for FTP Server"
$iptables  -A INPUT -p tcp -i $EXTIF --dport 21 -m state --state NEW -j ACCEPT

echo "  opening ssh for web on port 2609 for firewig"
$iptables -A INPUT -p tcp --dport 2609 -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 2609 -j ACCEPT

echo "  opening ssh for web on port 22  for WS2008-CI"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 22 -j DNAT  --to 192.168.10.97
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.97 -j ACCEPT

echo "  opening ssh for web on port 2302  for firewig 2302"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 2302 -j DNAT  --to 192.168.10.96:2302
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 2302 -j ACCEPT

echo "  opening Apache webserver for HoH"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.10.96:80
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 80 -j ACCEPT

#echo "  opening Hudson"
#$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 81 -j DNAT --to 192.168.10.97:81
#$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.97 --dport 81 -j ACCEPT

echo "  opening Target Process"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 90 -j DNAT --to 192.168.10.98:90
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.98 --dport 90 -j ACCEPT


#echo "  This is designed to stop brute force attacks"
$iptables -I INPUT -p TCP -m state --state NEW -m limit --limit 6/minute --limit-burst 5 -j ACCEPT

#echo "  setting up squid proxy server"
#$iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j DNAT --to 192.168.10.1:8888
#$iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j REDIRECT --to-port 8888


#$iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j DNAT --to 192.168.10.1:8888
#$iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j REDIRECT --to-port 8888

#echo "  Diverting port 80 traffic through Squid."
#$iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 8888


#  NOTE THE THREE LINES BELOW ALLOW ACCESS FOR THE VPN CONNECTION...Ry.

$iptables -A INPUT -i $EXTIF -p TCP --dport 1723 -j ACCEPT

$iptables -A INPUT -i ppp+ -j ACCEPT
$iptables -A FORWARD -i ppp+ -o $INTIF -j ACCEPT
$iptables -A FORWARD -i $INTIF -o ppp+ -j ACCEPT
$iptables -A OUTPUT -o ppp+ -j ACCEPT

# ICMP for vpn
$iptables -A INPUT -i ppp+ -p icmp -j ACCEPT
$iptables -A OUTPUT -o ppp+ -p icmp -j ACCEPT


# DNS for vpn
$iptables -A INPUT -i ppp+ -p tcp --dport 0:65535 --sport 53 -j ACCEPT
$iptables -A OUTPUT -o ppp+ -p tcp --sport 0:65535 --dport 53 -j ACCEPT
$iptables -A INPUT -i ppp+  -p udp --dport 0:65535 --sport 53 -j ACCEPT
$iptables -A OUTPUT -o ppp+ -p udp --sport 0:65535 --dport 53 -j ACCEPT

# forward vpn--->internet
$iptables -A FORWARD -i ppp+ -o $EXTIF -p ALL -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o ppp+ -p ALL -j ACCEPT


#$iptables -A FORWARD -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
#$iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
#$iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "


}
flush() {
    echo "flushing rules...."
    $iptables -P FORWARD ACCEPT
    $iptables -F INPUT
    $iptables -P INPUT ACCEPT
}

case "$1" in

    start|restart)
    flush
    load
    ;;
    stop)
    flush
    ;;
*)
    echo "usage: start|stop|restart."
;;

esac

If I uncomment the squid prerouting lines the internet stops working.

I am not sure what I have missed. Do you think it could be a Squid config thing?

Squid as cache proxy

Squid3 - Cannot write log file

Are there any alternatives to tsocks that support HTTPS proxy?

IPTables issue with Squid as transparent proxy

How to install Google Chrome

Is there a command to list all users? Also to add, delete, modify users, in the terminal?

How to delete a non-empty directory in Terminal?

How to unzip a zip file from the Terminal?

How can I copy the contents of a folder to another folder in a different directory using terminal?

How do I install a .deb file via the command line?

How do I run .sh scripts?

How do I install a .tar.gz (or .tar.bz2) file?

How to list all installed packages

Unable to lock the administration directory (/var/lib/dpkg/) is another process using it?

Questions[transparent-proxy](ubuntu)