Univention Bugzilla – Bug 54979
Document how to use squid as transparent proxy
Last modified: 2024-02-01 15:15:12 CET
+++ This bug was initially created as a clone of Bug #53011 +++ > When configuring squid as a transparent proxy, squid is not able to start any more. > In order to generate a valid URL to fetch some needed content, squid needs a port configured to receive normal forward-proxy traffic. > In this case port 3128 is now used as a transparent port and cannot be used as such. > Adding an additional port in the squid.conf, e.g. > > http_port 3129 This is undocumented behavior: Neither <https://docs.software-univention.de/manual/5.0/de/ip-config/web-proxy.html> nor <https://docs.software-univention.de/ext-networks/5.0/en/#operation-as-a-transparent-proxy> states that if UCRV `squid/transparentproxy=yes` is enabled - TCP port 3128 is used for the intercept *only* - TCP port 3129 is opened for forward-proxy traffic and must be used to support CONNECT required for proxying https:// traffic. This is important for https://, as UCRV `proxy/https=http://localhost:3129` is required then; 3128 will not work and lead to the above mentioned error message: $ https_proxy=http://localhost:3128 curl -v https://updates.software-univention.de/ ... < HTTP/1.1 409 Conflict < Server: squid/4.6 < Mime-Version: 1.0 < Date: Wed, 13 Jul 2022 07:02:01 GMT < Content-Type: text/html;charset=utf-8 < Content-Length: 3764 < X-Squid-Error: ERR_CONFLICT_HOST 0 < Vary: Accept-Language < Content-Language: en < X-Cache: MISS from m38 < X-Cache-Lookup: NONE from m38:3129 < Via: 1.1 m38 (squid/4.6) < Connection: keep-alive < * Received HTTP code 409 from proxy after CONNECT * CONNECT phase completed! * Closing connection 0 curl: (56) Received HTTP code 409 from proxy after CONNECT # journalctl -u squid.service --since 09:00 -- Logs begin at Sat 2022-05-21 10:31:16 CEST, end at Wed 2022-07-13 09:02:01 CEST. -- Jul 13 09:00:20 m38 squid[8209]: [231B blob data] Jul 13 09:02:01 m38 squid[8209]: SECURITY ALERT: Host header forgery detected on local=[::1]:3128 remote=[::1]:36544 FD 23 flags=33 (intercepted port does not match 443) Jul 13 09:02:01 m38 squid[8209]: SECURITY ALERT: By user agent: curl/7.64.0 Jul 13 09:02:01 m38 squid[8209]: SECURITY ALERT: on URL: updates.software-univention.de:443 Jul 13 09:02:01 m38 squid[8209]: kick abandoning local=[::1]:3128 remote=[::1]:36544 FD 23 flags=33 $ https_proxy=http://localhost:3129 curl -I https://updates.software-univention.de/ ... HTTP/1.1 200 OK
I updated the description about the transparent proxy setup in the extended networking documentation. Commits are: c11feed458 | doc(ext-networks): Add UCS manual document reference eedbd81d6d | doc(ext-networks): Update transparent proxy setup I also tested the outlined steps from this issue and they worked for me.
Content is deployed to the public: https://docs.software-univention.de/ext-networks/5.0/en/#operation-as-a-transparent-proxy