Squid3-dev Transparent Mode



  • Hello Forum,
    I am encountering the error in Squid3-dev while using transparent mode. If its enabled then I am not able to browse the internet.
    If i disable the transparent mode then its working fine. The logs show "TCP_MISS 403" error, so I have attached the screen-shot
    of my configuration and the logs which I get when the Transparent mode is enabled. Just wanna know where am I going wrong
    in the configuration


    ![Squid logs.png](/public/imported_attachments/1/Squid logs.png)
    ![Squid logs.png_thumb](/public/imported_attachments/1/Squid logs.png_thumb)



  • TCP_MISS 403 simply means that you requested an element and it wasn't in Squid's cache.  Do you also have SquidGuard installed?  Is this a brand new install, or did you upgrade from squid2?  Squid3-dev can be a real bear to get working, and I've managed to get it to the point where I had to reinstall the whole system.



  • @KOM:

    TCP_MISS 403 simply means that you requested an element and it wasn't in Squid's cache.  Do you also have SquidGuard installed?  Is this a brand new install, or did you upgrade from squid2?  Squid3-dev can be a real bear to get working, and I've managed to get it to the point where I had to reinstall the whole system.

    Yes I also have SquidGuard-squid3 running. In common acl's I have allowed all websites by default.
    Squid3-dev is not working with the transparent mode. I have not tried the previous versions because
    SSL filtering is available only in the above mentioned version.

    And one more thing about transparent mode, If I type "http://www.google.com" then it's giving TCP_MISS 403 error. If I change it to https then it works perfectly.



  • Enable Squid3-dev Transparent Proxy then disable SquidGuard3.  Does it work now?  Squid by itself doesn't do any blocking, only caching.  SquidGuard does the blocking.

    Here's the thing about SSL filtering.  To do it, you will need to do one of the following:

    • install a certificate on every client, or
    • set the proxy server on every client

    You have to touch the client one way or the other, so you may as well use Squid2 which is stable.  Block off outgoing port 80 so that only the proxy has web access, set the proxy server for all your static IP clients and then set up WPAD for DHCP clients.

    I believe that HTTPS bypasses Squid unless you have it manually set to be your proxy or you're running transparently with a cert installed.  Same reason why setting a domain block in SquidGuard doesn't work for HTTPS.  HTTPS creates a point-to-point encrypted tunnel between you and the external server.  Squid has no idea what's going on unless it's "inside" the encrypted tunnel, and it can only do that if you have your client it manually set to use pfSense as your web proxy, or if you're using a certificate on the client to trust your pfSense server.



  • @KOM:

    Enable Squid3-dev Transparent Proxy then disable SquidGuard3.  Does it work now?  Squid by itself doesn't do any blocking, only caching.  SquidGuard does the blocking.

    I have disabled the SquidGuard, Set the proxy interface as LAN in squid and enabled Transparent mode, No SSL filtering.
    It still gives the same error i.e TCP_MISS 403

    @KOM:

    Here's the thing about SSL filtering.  To do it, you will need to do one of the following:

    • install a certificate on every client, or
    • set the proxy server on every client

    You have to touch the client one way or the other, so you may as well use Squid2 which is stable.  Block off outgoing port 80 so that only the proxy has web access, set the proxy server for all your static IP clients and then set up WPAD for DHCP clients.

    I believe that HTTPS bypasses Squid unless you have it manually set to be your proxy or you're running transparently with a cert installed.  Same reason why setting a domain block in SquidGuard doesn't work for HTTPS.  HTTPS creates a point-to-point encrypted tunnel between you and the external server.  Squid has no idea what's going on unless it's "inside" the encrypted tunnel, and it can only do that if you have your client it manually set to use pfSense as your web proxy, or if you're using a certificate on the client to trust your pfSense server.

    I will surely try this method. SquidGuard or SquidGuard-devel has to be used with Squid2.
    because those two SquidGuard versions might not work with Squid3