# More problems in squid transparent



## jemate18 (Jan 29, 2010)

Problem number1
* I cant seem to use squid in transparent mode. (It works if I set the client browser to 192.168.0.1 port 80.)

Problem number 2
* I can NOT access https sites using squid (accessed via client pc and browser set to use the proxy server: 192.168.0.1:80, i tried 80 so as to see if the redirection from 80 to 3128 works. And worked it did.) but HTTP, I can browse and it works

----Details.----
Setup.
1 PC (gateway)----------------1 switch(4ports) ------1 pc(client)

I have followed a lot of tutorials and i have also viewed threads about squid + pf + transparent proxy here at the forum. Here is what I did

- installed squid (checked transparent pf option)
- recompiled kernel to inlude (ALTQ all entries and device pf, pflog, pfsync)
- got the squid.conf http_access to 127.0.0.1:3128 transparent
- created /etc/pf.conf followed DutchDaemon's advice pf.conf

```
www="{80:83 1080 8080:8081 8088 11523}"
int_if="em1" #private
ext_if="em0" #public

#squid transparent
    rdr on $int_if inet proto tcp from any to any port $www -> 127.0.0.1 port 3128

    #### Squid Proxy
    pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
    pass out on $ext_if inet proto tcp from any to any port $www keep state
```
 
- i have also this on my /etc/rc.conf

```
pf=enable="YES"
pf_rules="/etc/rc.conf"
squid_enable="YES"
gateway_enable="YES"
```


I don't know where I got wrong... Is there something missing?


Regards,


----------



## jemate18 (Jan 29, 2010)

I have also deinstall squid and reinstall it making it sure that the pf options was enabled.

Nothing worked


----------



## DutchDaemon (Jan 29, 2010)

https is impossible on a transparent proxy, because it is basically a man-in-the-middle attack. Allow https (tcp/443) out directly.


----------



## jemate18 (Jan 29, 2010)

Hi..Ok.. I'll have to edit my pf.conf to allow allow 443.


ANyway.. I still can't make the transparent proxy thing.... I have viewed the threads in this forum and searched the web as well... I tried every suggestions.

What could be missing?

Regards


----------



## DutchDaemon (Jan 29, 2010)

You must have missed a suggestion.


----------



## jemate18 (Jan 29, 2010)

DutchDaemon said:
			
		

> You must have missed a suggestion.



Well, I've been trying to make things work for 2 days now....

/etc/rc.conf entries
/usr/local/etc/squid/squid.conf entries
/etc/pf.conf entries
kernel compilation.

still cant find it

Anyway, thanks for your time


----------



## DutchDaemon (Jan 29, 2010)

```
pf_rules="/etc/rc.conf"
```

Are you sure you have that?


----------



## jemate18 (Jan 29, 2010)

DutchDaemon said:
			
		

> ```
> pf_rules="/etc/rc.conf"
> ```
> 
> Are you sure you have that?



Yup.. .got that one too, .... i have changed that to /etc/pf.conf and pfctl -e -f /etc/pf.conf

I know that the forward thing is working since when I set the client browser to use proxy 192.168.0.1:80 or even 3128, it works. and at the server, I check the connection via netstat -an and pfctl -s status
They were all forwarded to 3128. Then the redirection works also.

I don't know if I still have to change the pf.conf to accomadate the transparent thing...


----------



## DutchDaemon (Jan 29, 2010)

You cannot have 127.0.0.1:3128 transparent in squid.conf and connect to 192.168.0.1:3128. There shouldn't be anything running on 192.168.0.1:3128. Moreover, using 192.168.0.1:80 as a proxy server should result in a refused connection. I think you really should start from scratch. This is a mess.


----------

