http_port 8080 transparent
cache_dir ufs /var/spool/squid3 100 16 256
cache_mem 512 MB
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl fm dstdomain intranett.fm.no
acl nrk dstdomain tv.nrk.no
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow localnet
always_direct allow fm
always_direct allow nrk
http_access deny all
http_port 8080 transparent
http_port 9090
http_port 8080 intercept
2017/11/23 09:00:48| WARNING: Forwarding loop detected for:
GET /Versions/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nb-NO,nb;q=0.9,no-NO;q=0.8,no;q=0.6,nn-NO;q=0.5,nn;q=0.4,en-US;q=0.3,en;q=0.1
Accept-Encoding: gzip, deflate
Referer: https://www.google.no/
Upgrade-Insecure-Requests: 1
Via: 1.1 fmheproxy (squid/3.5.12)
X-Forwarded-For: 10.235.1.85
Cache-Control: max-age=0
Connection: keep-alive
Host: www.squid-cache.org
1511424048.992 0 10.235.16.2 TCP_MISS/403 4413 GET http://www.squid-cache.org/Versions/ - HIER_NONE/- text/html
1511424048.992 1 10.235.1.85 TCP_MISS/403 4515 GET http://www.squid-cache.org/Versions/ - ORIGINAL_DST/10.235.16.2 text/html
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
2017/11/23 15:55:25| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=10.235.16.2:8080 remote=10.235.1.85:55099 FD 13 flags=33: (92) Protocol not available
2017/11/23 15:55:25| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=10.235.16.2:8080 remote=10.235.1.85:55099 FD 13 flags=33
And the browser is timing out. iptables -t nat -A PREROUTING -p tcp --dport 8080 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 8081
iptables -t nat -A POSTROUTING -j MASQUERADE
And then changed the listen port of squid to 8081. Then i was getting this error is the browser:
The following error was encountered while trying to retrieve the URL: http://www.h-a.no/
Connection to 10.235.16.2 failed.
The system returned: (111) Connection refused
root@fmheproxy:~# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@fmheproxy:~#
root@fmheproxy:~# telnet localhost 8080
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
root@fmheproxy:~#
root@fmheproxy:/etc/squid# squid3 -N -d 100
2017/11/24 01:54:19| Current Directory is /etc/squid
2017/11/24 01:54:19| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
2017/11/24 01:54:19| Service Name: squid
2017/11/24 01:54:19| Process ID 1434
2017/11/24 01:54:19| Process Roles: master worker
2017/11/24 01:54:19| With 1024 file descriptors available
2017/11/24 01:54:19| Initializing IP Cache...
2017/11/24 01:54:19| DNS Socket created at [::], FD 8
2017/11/24 01:54:19| DNS Socket created at 0.0.0.0, FD 9
2017/11/24 01:54:19| Adding nameserver 10.235.1.23 from /etc/resolv.conf
2017/11/24 01:54:19| Logfile: opening log stdio:/var/log/squid/access.log
2017/11/24 01:54:19| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2017/11/24 01:54:19| Logfile: opening log stdio:/var/log/squid/store.log
2017/11/24 01:54:19| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2017/11/24 01:54:19| Target number of buckets: 1008
2017/11/24 01:54:19| Using 8192 Store buckets
2017/11/24 01:54:19| Max Mem size: 262144 KB
2017/11/24 01:54:19| Max Swap size: 0 KB
2017/11/24 01:54:19| Using Least Load store dir selection
2017/11/24 01:54:19| Current Directory is /etc/squid
2017/11/24 01:54:19| Finished loading MIME types and icons.
2017/11/24 01:54:19| HTCP Disabled.
2017/11/24 01:54:19| Pinger socket opened on FD 15
2017/11/24 01:54:19| Squid plugin modules loaded: 0
2017/11/24 01:54:19| Adaptation support is off.
2017/11/24 01:54:19| Accepting HTTP Socket connections at local=[::]:9090 remote=[::] FD 12 flags=9
2017/11/24 01:54:19| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:8080 remote=[::] FD 13 flags=41
2017/11/24 01:54:20| storeLateRelease: released 0 objects
2017/11/24 01:54:28| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=127.0.0.1:8080 remote=127.0.0.1:53002 FD 14 flags=33: (92) Protocol not available
2017/11/24 01:54:28| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=127.0.0.1:8080 remote=127.0.0.1:53002 FD 14 flags=33
root@fmheproxy:/etc/squid# squid -v
Squid Cache: Version 3.5.12
Service Name: squid
Ubuntu linux
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'
root@fmheproxy:/etc/squid# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.235.16.1 0.0.0.0 UG 0 0 0 ens160
10.235.16.0 0.0.0.0 255.255.255.0 U 0 0 0 ens160
root@fmheproxy:/etc/squid#
root@fmheproxy:/etc/squid# tail /var/log/squid/access.log
1511511574.852 234 ::1 TCP_MISS/301 907 GET http://www.experts-exchange.com/ - HIER_DIRECT/104.20.169.10 -
root@fmheproxy:/etc/squid# cat squid.conf
http_port 9090
http_port 0.0.0.0:8080 intercept
cache_access_log stdio:/var/log/squid/access.log
cache_store_log stdio:/var/log/squid/store.log
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl fm dstdomain intranett.DOMAIN.no
acl nrk dstdomain tv.nrk.no
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow localnet
always_direct allow fm
always_direct allow nrk
http_access deny
2017/11/23 15:55:25| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=10.235.16.2:8080 remote=10.235.1.85:55099 FD 13 flags=33: (92) Protocol not available
2017/11/23 15:55:25| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=10.235.16.2:8080 remote=10.235.1.85:55099 FD 13 flags=33
Presumably you added the iptables rule on the system where squid is installed to allow incoming port 8080 traffic in
iptables -t filter -L
Iptables -t filter -I INPUT 4 -p TCP -dport 8080 -j ACCEPT
THE rule would apply when added, iptables-save to commit and make it permanent.
https://wiki.squid-cache.org/ConfigExamples#Interception
Make sure you allow the system where the new version is installed through the checkpoint fw on port 80.