# Help needed with Squid 3 transparent proxy



## loko (Jan 9, 2009)

Hello,
I am trying to setup transparent caching proxy with squid 3.0 and FreeBSD 7 for my http traffic, but unfortunately with no luck. When I try to open any webpage I see this:

```
ERROR
The requested URL could not be retrieved


While trying to retrieve the URL: / 

The following error was encountered: 

Invalid URL 
Some aspect of the requested URL is incorrect. Possible problems: 

Missing or incorrect access protocol (should be `[url]http://'[/url]' or similar) 
Missing hostname 
Illegal double-escape in the URL-Path 
Illegal character in hostname; underscores are not allowed 
Your cache administrator is webmaster. 

Generated Fri, 09 Jan 2009 20:41:39 GMT by HOMER (squid/3.0.RC1+PatchSets-20071001)
```

My squid.conf looks like this:


```
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
access_log /usr/local/squid/logs/access.log squid
hosts_file /etc/hosts
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563      # https, snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
acl lan src 192.168.50.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname HOMER
always_direct allow all
coredump_dir /usr/local/squid/cache
```
Can you tell me what is wrong with this configuration. Why I type http://freebsd.org in my address bar but the error says 
	
	



```
While trying to retrieve the URL: /
```

Thanks in advance!


----------



## bluetick (Jan 9, 2009)

I don't know if it's required but I always add this to mine.

```
dns_nameservers xx.xx.xx.ip xx.xx.xx.ip
```

I think this is the proper form to control access on the lan.

```
acl all src 192.168.50/24
```

You have.

```
acl lan src 192.168.50.0/24
```


----------



## geeknik (Feb 1, 2009)

bluetick said:
			
		

> acl lan src 192.168.50.0/24



This is valid.

I have 
	
	



```
acl localnet src 10.0.0.0/24
```
 in my squid.conf with no problems.


----------



## sniper007 (Feb 2, 2009)

*Transparent Cache*

Transparent cache achieves the same goal as a standard proxy cache, but operates transparently to the browser. The browser does not need to be explicitly configured to access the cache. Instead, the transparent cache intercepts network traffic, filters HTTP traffic (on port 80) and handles the request if the object is in the cache. If the object is not in the cache, the packets are forwarded to the origin web server.

*Configuring as Transparent Proxy*

Using squid transparently is a two part process, requiring first that squid be configured properly to accept non-proxy requests (performed in the squid module) and second that web traffic gets redirected to the squid port (achieved in three ways namely policy based routing, Using smart switching or by setting squid Box as a gateway).

Getting transparent caching to work requires the following steps

For some operating systems, have to configure and build a version of Squid which can recognize the hijacked connections and discern the destination addresses. For Linux this seems to work automatically. For BSD-based systems, you probably have to configure squid with the --enable-ipf-transparent option, and you have to configure squid as

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

You have to configure your cache host to accept the redirected packets - any IP address, on port 80 - and deliver them to your cache application. This is typically done with IP filtering/forwarding features built into the kernel. On linux they call this ipfilter (kernel 2.4.x), ipchains (2.2.x) or ipfwadm (2.0.x). On FreeBSD and other BSD systems they call it ip filter or ipnat; on many systems, it may require rebuilding the kernel or adding a new loadable kernel module.


----------



## sniper007 (Feb 2, 2009)

bluetick said:
			
		

> I think this is the proper form to control access on the lan.
> acl all src 192.168.50/24



This is absolutly *wrong *!

Squid uses CIDR notation. IPv4 uses 32bit IP address and your 192.168.50 have only 24bit. (no way)

/24 is netmask and mean ( 11111111 11111111 11111111 00000000 ) => subnet with 254 hosts.


----------



## DutchDaemon (Feb 2, 2009)

sniper007 said:
			
		

> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on



Extremely outdated.

And I believe 'acl all' is depreciated and actually produces errors nowadays.


----------



## sniper007 (Feb 3, 2009)

DutchDaemon said:
			
		

> Extremely outdated.



huh, probably you are right because I have a book from 2004 (Squid: The Definitive Guide), also never tried to set up transparent cache.

my mistake..


----------



## bufo333 (Jul 15, 2009)

*missing keword transparent*

This problem is easy to fix, when you are using ipfw or ipfilter to redirect ports in transparent mode, you get that weird error unless you tell squid you are in transparent mode.

Add the following line to fix the problem.

http_port 3128 transparent


----------

