Docker Transparent Squid Proxy

Question

I am trying to run a squid3 transparent proxy in a docker image, on my laptop. Then on the same laptop I want to use the transparent proxy. The reason for the proxy is to abstract a corporate proxy with authentication. I don't want my applications to know they are using a proxy.

I followed the instructions on http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxLocalhost

If I remove the intercept option from my squid.config file, and I set the proxy manually on my system to localhost:3128, it works, the issue is setting it up transparently.

Here is my config, Please any assistance will be appreciated.

Docker Container:

docker run --name squid-service -d --restart=always --publish 3128:3128 --volume /my/squid/config/squid.conf:/etc/squid3/squid.conf sameersbn/squid:latest

squid.conf

http_access allow all
http_port 3128 intercept

cache_peer 10.102.206.30 parent 80 0 default no-query login=username:password

never_direct allow all

ifconfig

docker0   Link encap:Ethernet  HWaddr 02:42:a2:98:fb:34  
          inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:a2ff:fe98:fb34/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:34 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2136 (2.1 KB)  TX bytes:1731 (1.7 KB)

enp7s0    Link encap:Ethernet  HWaddr 74:86:7a:33:bb:1e  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2422 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2422 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:201416 (201.4 KB)  TX bytes:201416 (201.4 KB)

wlp8s0    Link encap:Ethernet  HWaddr 68:17:29:ac:18:13  
          inet addr:192.168.1.6  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::6a17:29ff:feac:1813/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8626 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5398 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3197594 (3.1 MB)  TX bytes:1191028 (1.1 MB)

iptables

iptables -t nat -F  # clear table

# normal transparent proxy
iptables -t nat -A PREROUTING -p tcp -i wlp8s0 --dport 80 -j REDIRECT --to-port 3128

# handle connections on the same box (SQUIDIP is a loopback instance)
gid=`id -g proxy`
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner $gid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:3128

*********************************** UPDATE **********************************************

I actually got it working with this iptables config:

#!/bin/bash

# your proxy IP
SQUIDIP=127.0.0.1

# your proxy listening port
SQUIDPORT=3128


sudo iptables -t nat -A OUTPUT --match owner --uid-owner proxy -p tcp --dport 80 -j ACCEPT
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination $SQUIDIP:$SQUIDPORT

However there is still an issue, once I activate my VPN, or use HTTPS it does not go though my proxy any more.

score 0 · Answer 1 · answered Feb 26 '16 at 00:03

0

Have you tried with --net=host and removing the --publish flag?

Squid is probably just intercepting traffic on the $CONTAINER_IP:3128 and not 0.0.0.0:3128, although you're mapping the port with the --publish flag.

answered Feb 26 '16 at 00:03

Tiago Pires

101

Docker Transparent Squid Proxy

1 Answers1