[need Help with ] squid setup

Trying to run squid on openWRT as a transparent proxy - to share an upstream proxy server at 192.168.0.189 port 8080 to all clients that join the openWRT wireless network.

Squid seems to be running on openwrt, port 3218 with config below. But currently internet seems to still be through the gateway router at 192.68.0.1 instead of through the upstream proxy.

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/24	# RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128 transparent
visible_hostname SquidBox
hierarchy_stoplist cgi-bin ?
cache_mem 8 MB
maximum_object_size_in_memory 8 KB
cache_dir ufs /tmp/cache 15000 16 512
maximum_object_size 32 MB
access_log /tmp/cache/access.log squid
#access_log none
cache_log /tmp/cache/cache.log
cache_store_log /tmp/cache/store.log
pid_filename /tmp/cache/squid.pid
netdb_filename /tmp/cache/netdb.state
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
#acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
#upgrade_http0.9 deny shoutcast
#acl apache rep_header Server ^Apache
#broken_vary_encoding allow apache
#dns_nameservers 127.0.0.1
coredump_dir /tmp/cache


cache_peer 192.168.0.189 parent 8080 0  default no-query 
cache_peer_domain 192.168.0.189 !.192.168.1.1
never_direct deny local-servers
never_direct allow all

Firewall


config redirect
        option name 'Allow-transparent-Squid'
        option enabled '1'
        option proto 'tcp'
        option target 'DNAT'
        option src 'lan'
        option src_ip '!192.168.1.1'
       	option src_dip '!192.168.1.1'
        option src_dport '80'
        option dest 'lan'
        option dest_ip '192.168.1.1'
        option dest_port '3128'

Almost entire today's web traffic is https, so i would start intercepting all 443 traffic.
Maybe also blocking quick protocol (udp 443) is required.
Not sure how you want to use the upstream proxy server, apparently you are using NAT now.

1 Like

squid can't do transparent https proxing without having all the clients import a self signed ssl cert so I'd say that's a no-go

1 Like

there is this doc page with its outdated concept https://openwrt.org/docs/guide-user/services/proxy/proxy.squid, which has not really aged well, as it clearly is from a before-https-era.

My impression is, people are still finding it and trying to implement it and will once in a while post about its issues, as it does not work for them (for obvious https reasons). The posted config of the thread author clearly comes from this doc page.
There are some more similar unsolved older threads in the forum from the past years, when forum-searching for transparent proxy or squid.

Maybe it would be a good idea, to either fully drop that doc page or at least remove its now wrong promise that it will lead to a transparent web proxy (which it won‘t anymore, as todays https era is not covered by it).

1 Like

Please, explain exactly how you tested this, and the results of those tests.

The upstream proxy has a VPN into another country. Used for watching TV from devices I can configure to use the proxy on 8080, like an iPad.

I’d like to create a wifi network routed through this upstream vpn/proxy so that devices like TVs that don’t have a proxy network setting option can just connect to it like a regular wifi network.

If I connect an ipad to the upsteam proxy port 8080 i can verify it works using whatismyipaddress which shows me accessing internet from VPN location.

accessing via openwrt still shows location in home country.

haver added a port forward for 443, still no change.

As this was mentioned before, you can't just proxy a ssl/tls connection which is designed for privacy/security.
Your best bet is either configure each device tonuse the upstream server or create a vpn on your secondary openwrt and use policy based routing.
This setup of yours is using NAT to share the internet connection, this is not going to ever auromagically intercept your traffic by the upstream proxy.

2 Likes

thanks for your advise.

Squid does what I need on the upstream proxy. All traffic sent to it at 8080 is routed over the VPN and devices work as if they are in the remote country.

what is the squid instance doing on open wrt if it's not doing that, and why can't it do what squid does running on a server?