4

I am trying to run a squid3 transparent proxy in a docker image, on my laptop. Then on the same laptop I want to use the transparent proxy. The reason for the proxy is to abstract a corporate proxy with authentication. I don't want my applications to know they are using a proxy.

I followed the instructions on http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxLocalhost

If I remove the intercept option from my squid.config file, and I set the proxy manually on my system to localhost:3128, it works, the issue is setting it up transparently.

Here is my config, Please any assistance will be appreciated.

Docker Container:

docker run --name squid-service -d --restart=always --publish 3128:3128 --volume /my/squid/config/squid.conf:/etc/squid3/squid.conf sameersbn/squid:latest

squid.conf

http_access allow all
http_port 3128 intercept

cache_peer 10.102.206.30 parent 80 0 default no-query login=username:password

never_direct allow all

ifconfig

docker0   Link encap:Ethernet  HWaddr 02:42:a2:98:fb:34  
          inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:a2ff:fe98:fb34/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:34 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2136 (2.1 KB)  TX bytes:1731 (1.7 KB)

enp7s0    Link encap:Ethernet  HWaddr 74:86:7a:33:bb:1e  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2422 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2422 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:201416 (201.4 KB)  TX bytes:201416 (201.4 KB)

wlp8s0    Link encap:Ethernet  HWaddr 68:17:29:ac:18:13  
          inet addr:192.168.1.6  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::6a17:29ff:feac:1813/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8626 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5398 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3197594 (3.1 MB)  TX bytes:1191028 (1.1 MB)

iptables

iptables -t nat -F  # clear table

# normal transparent proxy
iptables -t nat -A PREROUTING -p tcp -i wlp8s0 --dport 80 -j REDIRECT --to-port 3128

# handle connections on the same box (SQUIDIP is a loopback instance)
gid=`id -g proxy`
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner $gid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3128

*********************************** UPDATE **********************************************

I actually got it working with this iptables config:

#!/bin/bash

# your proxy IP
SQUIDIP=127.0.0.1

# your proxy listening port
SQUIDPORT=3128


sudo iptables -t nat -A OUTPUT --match owner --uid-owner proxy -p tcp --dport 80 -j ACCEPT
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination $SQUIDIP:$SQUIDPORT

However there is still an issue, once I activate my VPN, or use HTTPS it does not go though my proxy any more.

ex0b1t
  • 41
  • 1
  • 7
  • Your computer seems to be using "wlp8s0" as the default connection (4.2 MB transferred total) instead of "docker0" (3.8 KB transferred total). – QwertyChouskie Feb 20 '16 at 23:12
  • I don't understand where the `proxy`owner comes from. I tried like your update but it's not working. – tweetysat Jun 28 '17 at 09:43

1 Answers1

0

Have you tried with --net=host and removing the --publish flag?

Squid is probably just intercepting traffic on the $CONTAINER_IP:3128 and not 0.0.0.0:3128, although you're mapping the port with the --publish flag.

Tiago Pires
  • 101
  • 1
  • Hello thanks for the advice but the publish flag does work, I just updated the iptables config, however I now face another issue, more related to Squid setup. See my updated question – ex0b1t Feb 26 '16 at 05:18
  • You've added the iptables rule to PREROUTING the data from the wlp8s0 traffic and not the vpn interface (probably vpn0). When you connect to the VPN all your traffic is going through vpn0 (you can set it to only be used from resources of its network). If you want to redirect HTTPS traffic (port 443) you need to add new iptables rule to ACCEPT and FORWARD traffic from 443 to $SQUIDIP:3128. – Tiago Pires Feb 26 '16 at 10:39