Squid Web Cache wiki

Squid Web Cache documentation

🔗 Linux traffic Interception with Squid and the Browser on the same box

by Joshua N Pritikin

🔗 Outline

To Intercept web requests transparently without any kind of client configuration. When web traffic is rgenerated by the machine squid is run on.

NP: for most non-Windows boxes setting the http_proxy environment variable (http_proxy=”http://SQUIDIP:3128/”) is a preferred alternative to the below interception.

NP: other users have reported setting outgoing TOS and filtering on it instead of process gid to also be effective.

🔗 iptables configuration

Replace SQUIDIP with the public IP(s) which squid may use for its listening port and outbound connections. Repeat each iptables line one per squid outbound IP.

iptables -t nat -F  # clear table

# normal transparent proxy
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 3127

# handle connections on the same box (SQUIDIP is a loopback instance)
gid=`id -g proxy`
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner $gid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination SQUIDIP:3127

🔗 Squid Configuration File

You will need to configure squid to know the IP is being intercepted like so:

http_port 3127 transparent

In Squid 3.1+ the transparent option has been split. Use ‘intercept to catch DNAT packets.

http_port 3127 intercept

⚠️ Disclaimer: Any example presented here is provided "as-is" with no support
or guarantee of suitability. If you have any further questions about
these examples please email the squid-users mailing list.

Categories: ConfigExample

Navigation: Site Search, Site Pages, Categories, 🔼 go up