Squid2.7.9 transparent mode NAT rules
-
I've installed the Squid package (Squid 2.79) and set it to transparent mode.
That's working fine - I can see the requests in the access log in /var/squid/log
However, I can't see the firewall NAT rules for the redirect from 80 to 3128 in the Firewall section? I'd like to have some subnets (on the same pfSense LAN interface) bypass the squid proxy, but there's no visible rule to modify?
-
Use the "Bypass proxy" option in Squid and it'll do that automatically. Alternatively, disable transparent proxying in Squid, and add your own port forward to handle the transparent proxy redirect.
-
Thanks CMB for the reply.
@cmb:
Use the "Bypass proxy" option in Squid and it'll do that automatically.
Cool, I hadn't noticed the bypass proxy settings in squid - I've only run Squid3 before on pfsense 2.1 and that had an explicit firewall rule for the redirect to the transparent proxy. So I can apply the solution I wanted. I'm using Squid2 for now on the 2.2 beta until the install issues with Squid3 are sorted out, and testing various network configs with 2.2b so that we can migrate across as soon as its release ready. After >10 years of Squid on Linux and custom iptables rulesets, we've been using pfsense for the last year to great effect.
It does seem a bit logically inconsistent to not have a visible firewall NAT rule for the redirect of port 80 to the squid port for Squid2, but at least it works the way I wanted. The current implicit redirect behaviour could cause issues for someone troubleshooting multiple proxy servers on the network?
Talk of which, my next testing step after sorting out the OpenVPN connection overseas is working out whether I can run multiple instances of Squid2 on the same pfsense box, so we can have one http proxy per gateway being routed off the pfsense box.
@cmb:
Alternatively, disable transparent proxying in Squid, and add your own port forward to handle the transparent proxy redirect.
I thought this doesn't work as there's a change in the proxy protocol - doing a redirect without squid configured for transparent mode would require configuring all clients to use the proxy.
-
The only thing configuring squid for transparent mode does is automatically add the same redirect you can add manually.