NAT to External Squid Proxy



  • I have spent a great deal of time reading threads and trying different things before posting for help here, but nothing has worked so far. Ultimately, I want all http traffic from a specific alias forwarded through the external squid proxy without any configuration on the client side, but at the moment I just have the source set to the entire 'LAN net' for testing.

    Internet - pfSense - switch (on LAN if) - PCs
                                            |
                                  Squid Proxy (on OPT1)

    LAN on 192.168.0.0/24
    OPT1 on 192.168.1.0/24

    If I set the proxy to non-transparent and manually enter the proxy in the browser, it works.  If I set the proxy to non-transparent mode and use the NAT rule to forward http to squid port on the proxy, http requests return Invalid URL. If I try to use transparent mode and have NAT forward to port 80 I get 'Access denied'.

    This is how I set up iptables initially.

    
    #delete all rules
    sudo iptables -F
    sudo iptables -t nat -F
    sudo iptables -t mangle -F
    sudo iptables -X
    
    # Enable routing.
    echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
    
    # Masquerade.
    sudo iptables -t nat -A POSTROUTING -j MASQUERADE
    
    # Transparent proxying
    sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8085
    
    

    Here is my squid.conf

    
    #	WELCOME TO SQUID 3.3.8
    #	----------------------------
    #	
    #	This is the documentation for the Squid configuration file.
    #	This documentation can also be found online at:
    #		http://www.squid-cache.org/Doc/config/
    #	
    #	You may wish to look at the Squid home page and wiki for the
    #	FAQ and other documentation:
    #		http://www.squid-cache.org/
    #		http://wiki.squid-cache.org/SquidFaq
    #		http://wiki.squid-cache.org/ConfigExamples
    #	
    #	This documentation shows what the defaults for various directives
    #	happen to be.  If you don't need to change the default, you should
    #	leave the line out of your squid.conf in most cases.
    #	
    #	In some cases "none" refers to no default setting at all,
    #	while in other cases it refers to the value of the option
    #	- the comments for that keyword indicate if this is the case.
    #
    
    #  Configuration options can be included using the "include" directive.
    #  Include takes a list of files to include. Quoting and wildcards are
    #  supported.
    #
    #  For example,
    #
    #  include /path/to/included/file/squid.acl.config
    #
    #  Includes can be nested up to a hard-coded depth of 16 levels.
    #  This arbitrary restriction is to prevent recursive include references
    #  from causing Squid entering an infinite loop whilst trying to load
    #  configuration files.
    #
    #
    #  Conditional configuration
    #
    #	If-statements can be used to make configuration directives
    #	depend on conditions:
    #
    #	    if <condition>
    #	        ... regular configuration directives ...
    #	    [else
    #	        ... regular configuration directives ...]
    #	    endif
    #
    #	The else part is optional. The keywords "if", "else", and "endif"
    #	must be typed on their own lines, as if they were regular
    #	configuration directives.
    #
    #	NOTE: An else-if condition is not supported.
    #
    #	These individual conditions types are supported:
    #
    #	    true
    #		Always evaluates to true.
    #	    false
    #		Always evaluates to false.
    #	    <integer> = <integer>
    #	        Equality comparison of two integer numbers.
    #
    #
    #  SMP-Related Macros
    #
    #	The following SMP-related preprocessor macros can be used.
    #
    #	${process_name} expands to the current Squid process "name"
    #	(e.g., squid1, squid2, or cache1).
    #
    #	${process_number} expands to the current Squid process
    #	identifier, which is an integer number (e.g., 1, 2, 3) unique
    #	across all Squid processes.
    
    #  TAG: broken_vary_encoding
    #	This option is not yet supported by Squid-3.
    #Default:
    # none
    
    #  TAG: cache_vary
    #	This option is not yet supported by Squid-3.
    #Default:
    # none
    
    #  TAG: collapsed_forwarding
    #	This option is not yet supported by Squid-3\. see http://bugs.squid-cache.org/show_bug.cgi?id=3495
    #Default:
    # none
    
    #  TAG: error_map
    #	This option is not yet supported by Squid-3.
    #Default:
    # none
    
    #  TAG: external_refresh_check
    #	This option is not yet supported by Squid-3.
    #Default:
    # none
    
    #  TAG: ignore_ims_on_miss
    #	This option is not yet supported by Squid-3.
    #Default:
    # none
    
    #  TAG: location_rewrite_program
    #	This option is not yet supported by Squid-3.
    #Default:
    # none
    
    #  TAG: refresh_stale_hit
    #	This option is not yet supported by Squid-3.
    #Default:
    # none
    
    #  TAG: storeurl_access
    #	This option is not yet supported by this version of Squid-3\. Please try a later release.
    #Default:
    # none
    
    #  TAG: ignore_expect_100
    #	Remove this line. The HTTP/1.1 feature is now fully supported by default.
    #Default:
    # none
    
    #  TAG: dns_v4_fallback
    #	Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
    #Default:
    # none
    
    #  TAG: ftp_list_width
    #	Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
    #Default:
    # none
    
    #  TAG: maximum_single_addr_tries
    #	Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
    #Default:
    # none
    
    #  TAG: update_headers
    #	Remove this line. The feature is supported by default in storage types where update is implemented.
    #Default:
    # none
    
    #  TAG: url_rewrite_concurrency
    #	Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
    #Default:
    # none
    
    #  TAG: dns_testnames
    #	Remove this line. DNS is no longer tested on startup.
    #Default:
    # none
    
    #  TAG: extension_methods
    #	Remove this line. All valid methods for HTTP are accepted by default.
    #Default:
    # none
    
    #  TAG: zero_buffers
    #Default:
    # none
    
    #  TAG: incoming_rate
    #Default:
    # none
    
    #  TAG: server_http11
    #	Remove this line. HTTP/1.1 is supported by default.
    #Default:
    # none
    
    #  TAG: upgrade_http0.9
    #	Remove this line. ICY/1.0 streaming protocol is supported by default.
    #Default:
    # none
    
    #  TAG: zph_local
    #	Alter these entries. Use the qos_flows directive instead.
    #Default:
    # none
    
    #  TAG: header_access
    #	Since squid-3.0 replace with request_header_access or reply_header_access
    #	depending on whether you wish to match client requests or server replies.
    #Default:
    # none
    
    #  TAG: httpd_accel_no_pmtu_disc
    #	Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
    #Default:
    # none
    
    #  TAG: wais_relay_host
    #	Replace this line with 'cache_peer' configuration.
    #Default:
    # none
    
    #  TAG: wais_relay_port
    #	Replace this line with 'cache_peer' configuration.
    #Default:
    # none
    
    # OPTIONS FOR AUTHENTICATION
    # -----------------------------------------------------------------------------
    
    #  TAG: auth_param
    #	This is used to define parameters for the various authentication
    #	schemes supported by Squid.
    #
    #	format: auth_param scheme parameter [setting]
    #
    #	The order in which authentication schemes are presented to the client is
    #	dependent on the order the scheme first appears in config file. IE
    #	has a bug (it's not RFC 2617 compliant) in that it will use the basic
    #	scheme if basic is the first entry presented, even if more secure
    #	schemes are presented. For now use the order in the recommended
    #	settings section below. If other browsers have difficulties (don't
    #	recognize the schemes offered even if you are using basic) either
    #	put basic first, or disable the other schemes (by commenting out their
    #	program entry).
    #
    #	Once an authentication scheme is fully configured, it can only be
    #	shutdown by shutting squid down and restarting. Changes can be made on
    #	the fly and activated with a reconfigure. I.E. You can change to a
    #	different helper, but not unconfigure the helper completely.
    #
    #	Please note that while this directive defines how Squid processes
    #	authentication it does not automatically activate authentication.
    #	To use authentication you must in addition make use of ACLs based
    #	on login name in http_access (proxy_auth, proxy_auth_regex or
    #	external with %LOGIN used in the format tag). The browser will be
    #	challenged for authentication on the first such acl encountered
    #	in http_access processing and will also be re-challenged for new
    #	login credentials if the request is being denied by a proxy_auth
    #	type acl.
    #
    #	WARNING: authentication can't be used in a transparently intercepting
    #	proxy as the client then thinks it is talking to an origin server and
    #	not the proxy. This is a limitation of bending the TCP/IP protocol to
    #	transparently intercepting port 80, not a limitation in Squid.
    #	Ports flagged 'transparent', 'intercept', or 'tproxy' have
    #	authentication disabled.
    #
    #	=== Parameters for the basic scheme follow. ===
    #
    #	"program" cmdline
    #	Specify the command for the external authenticator.  Such a program
    #	reads a line containing "username password" and replies "OK" or
    #	"ERR" in an endless loop. "ERR" responses may optionally be followed
    #	by a error description available as %m in the returned error page.
    #	If you use an authenticator, make sure you have 1 acl of type
    #	proxy_auth.
    #
    #	By default, the basic authentication scheme is not used unless a
    #	program is specified.
    #
    #	If you want to use the traditional NCSA proxy authentication, set
    #	this line to something like
    #
    #	auth_param basic program /usr/lib/squid3/basic_ncsa_auth /usr/etc/passwd
    #
    #	"utf8" on|off
    #	HTTP uses iso-latin-1 as character set, while some authentication
    #	backends such as LDAP expects UTF-8\. If this is set to on Squid will
    #	translate the HTTP iso-latin-1 charset to UTF-8 before sending the
    #	username & password to the helper.
    #
    #	"children" numberofchildren [startup=N] [idle=N] [concurrency=N]
    #	The maximum number of authenticator processes to spawn. If you start too few
    #	Squid will have to wait for them to process a backlog of credential
    #	verifications, slowing it down. When password verifications are
    #	done via a (slow) network you are likely to need lots of
    #	authenticator processes.
    #
    #	The startup= and idle= options permit some skew in the exact amount
    #	run. A minimum of startup=N will begin during startup and reconfigure.
    #	Squid will start more in groups of up to idle=N in an attempt to meet
    #	traffic needs and to keep idle=N free above those traffic needs up to
    #	the maximum.
    #
    #	The concurrency= option sets the number of concurrent requests the
    #	helper can process.  The default of 0 is used for helpers who only
    #	supports one request at a time. Setting this to a number greater than
    #	0 changes the protocol used to include a channel number first on the
    #	request/response line, allowing multiple requests to be sent to the
    #	same helper in parallel without waiting for the response.
    #	Must not be set unless it's known the helper supports this.
    #
    #	auth_param basic children 20 startup=0 idle=1
    #
    #	"realm" realmstring
    #	Specifies the realm name which is to be reported to the
    #	client for the basic proxy authentication scheme (part of
    #	the text the user will see when prompted their username and
    #	password). There is no default.
    #	auth_param basic realm Squid proxy-caching web server
    #
    #	"credentialsttl" timetolive
    #	Specifies how long squid assumes an externally validated
    #	username:password pair is valid for - in other words how
    #	often the helper program is called for that user. Set this
    #	low to force revalidation with short lived passwords.  Note
    #	setting this high does not impact your susceptibility
    #	to replay attacks unless you are using an one-time password
    #	system (such as SecureID).  If you are using such a system,
    #	you will be vulnerable to replay attacks unless you also
    #	use the max_user_ip ACL in an http_access rule.
    #
    #	"casesensitive" on|off
    #	Specifies if usernames are case sensitive. Most user databases are
    #	case insensitive allowing the same username to be spelled using both
    #	lower and upper case letters, but some are case sensitive. This
    #	makes a big difference for user_max_ip ACL processing and similar.
    #	auth_param basic casesensitive off
    #
    #	=== Parameters for the digest scheme follow ===
    #
    #	"program" cmdline
    #	Specify the command for the external authenticator.  Such
    #	a program reads a line containing "username":"realm" and
    #	replies with the appropriate H(A1) value hex encoded or
    #	ERR if the user (or his H(A1) hash) does not exists.
    #	See rfc 2616 for the definition of H(A1).
    #	"ERR" responses may optionally be followed by a error description
    #	available as %m in the returned error page.
    #
    #	By default, the digest authentication scheme is not used unless a
    #	program is specified.
    #
    #	If you want to use a digest authenticator, set this line to
    #	something like
    #
    #	auth_param digest program /usr/lib/squid3/digest_pw_auth /usr/etc/digpass
    #
    #	"utf8" on|off
    #	HTTP uses iso-latin-1 as character set, while some authentication
    #	backends such as LDAP expects UTF-8\. If this is set to on Squid will
    #	translate the HTTP iso-latin-1 charset to UTF-8 before sending the
    #	username & password to the helper.
    #
    #	"children" numberofchildren [startup=N] [idle=N] [concurrency=N]
    #	The maximum number of authenticator processes to spawn (default 5).
    #	If you start too few Squid will have to wait for them to
    #	process a backlog of H(A1) calculations, slowing it down.
    #	When the H(A1) calculations are done via a (slow) network
    #	you are likely to need lots of authenticator processes.
    #
    #	The startup= and idle= options permit some skew in the exact amount
    #	run. A minimum of startup=N will begin during startup and reconfigure.
    #	Squid will start more in groups of up to idle=N in an attempt to meet
    #	traffic needs and to keep idle=N free above those traffic needs up to
    #	the maximum.
    #
    #	The concurrency= option sets the number of concurrent requests the
    #	helper can process.  The default of 0 is used for helpers who only
    #	supports one request at a time. Setting this to a number greater than
    #	0 changes the protocol used to include a channel number first on the
    #	request/response line, allowing multiple requests to be sent to the
    #	same helper in parallel without waiting for the response.
    #	Must not be set unless it's known the helper supports this.
    #
    #	auth_param digest children 20 startup=0 idle=1
    #
    #	"realm" realmstring
    #	Specifies the realm name which is to be reported to the
    #	client for the digest proxy authentication scheme (part of
    #	the text the user will see when prompted their username and
    #	password). There is no default.
    #	auth_param digest realm Squid proxy-caching web server
    #
    #	"nonce_garbage_interval" timeinterval
    #	Specifies the interval that nonces that have been issued
    #	to client_agent's are checked for validity.
    #
    #	"nonce_max_duration" timeinterval
    #	Specifies the maximum length of time a given nonce will be
    #	valid for.
    #
    #	"nonce_max_count" number
    #	Specifies the maximum number of times a given nonce can be
    #	used.
    #
    #	"nonce_strictness" on|off
    #	Determines if squid requires strict increment-by-1 behavior
    #	for nonce counts, or just incrementing (off - for use when
    #	user agents generate nonce counts that occasionally miss 1
    #	(ie, 1,2,4,6)). Default off.
    #
    #	"check_nonce_count" on|off
    #	This directive if set to off can disable the nonce count check
    #	completely to work around buggy digest qop implementations in
    #	certain mainstream browser versions. Default on to check the
    #	nonce count to protect from authentication replay attacks.
    #
    #	"post_workaround" on|off
    #	This is a workaround to certain buggy browsers who sends
    #	an incorrect request digest in POST requests when reusing
    #	the same nonce as acquired earlier on a GET request.
    #
    #	=== NTLM scheme options follow ===
    #
    #	"program" cmdline
    #	Specify the command for the external NTLM authenticator.
    #	Such a program reads exchanged NTLMSSP packets with
    #	the browser via Squid until authentication is completed.
    #	If you use an NTLM authenticator, make sure you have 1 acl
    #	of type proxy_auth.  By default, the NTLM authenticator_program
    #	is not used.
    #
    #	NOTE: In Debian the ntlm_auth program is distributed in the winbindd package
    #	      which is required for this auth scheme to work
    #
    #	auth_param ntlm program /usr/bin/ntlm_auth
    #
    #	"children" numberofchildren [startup=N] [idle=N]
    #	The maximum number of authenticator processes to spawn (default 5).
    #	If you start too few Squid will have to wait for them to
    #	process a backlog of credential verifications, slowing it
    #	down. When credential verifications are done via a (slow)
    #	network you are likely to need lots of authenticator
    #	processes.
    #
    #	The startup= and idle= options permit some skew in the exact amount
    #	run. A minimum of startup=N will begin during startup and reconfigure.
    #	Squid will start more in groups of up to idle=N in an attempt to meet
    #	traffic needs and to keep idle=N free above those traffic needs up to
    #	the maximum.
    #
    #	auth_param ntlm children 20 startup=0 idle=1
    #
    #	"keep_alive" on|off
    #	If you experience problems with PUT/POST requests when using the
    #	Negotiate authentication scheme then you can try setting this to
    #	off. This will cause Squid to forcibly close the connection on
    #	the initial requests where the browser asks which schemes are
    #	supported by the proxy.
    #
    #	auth_param ntlm keep_alive on
    #
    #	=== Options for configuring the NEGOTIATE auth-scheme follow ===
    #
    #	"program" cmdline
    #	Specify the command for the external Negotiate authenticator.
    #	This protocol is used in Microsoft Active-Directory enabled setups with
    #	the Microsoft Internet Explorer or Mozilla Firefox browsers.
    #	Its main purpose is to exchange credentials with the Squid proxy
    #	using the Kerberos mechanisms.
    #	If you use a Negotiate authenticator, make sure you have at least
    #	one acl of type proxy_auth active. By default, the negotiate
    #	authenticator_program is not used.
    #	The only supported program for this role is the ntlm_auth
    #	program distributed as part of Samba, version 4 or later.
    #
    #	NOTE: In Debian the ntlm_auth program is distributed in the winbindd package
    #	      which is required for this auth scheme to work
    #
    #	auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego
    #
    #	"children" numberofchildren [startup=N] [idle=N]
    #	The maximum number of authenticator processes to spawn (default 5).
    #	If you start too few Squid will have to wait for them to
    #	process a backlog of credential verifications, slowing it
    #	down. When credential verifications are done via a (slow)
    #	network you are likely to need lots of authenticator
    #	processes.
    #
    #	The startup= and idle= options permit some skew in the exact amount
    #	run. A minimum of startup=N will begin during startup and reconfigure.
    #	Squid will start more in groups of up to idle=N in an attempt to meet
    #	traffic needs and to keep idle=N free above those traffic needs up to
    #	the maximum.
    #
    #	auth_param negotiate children 20 startup=0 idle=1
    #
    #	"keep_alive" on|off
    #	If you experience problems with PUT/POST requests when using the
    #	Negotiate authentication scheme then you can try setting this to
    #	off. This will cause Squid to forcibly close the connection on
    #	the initial requests where the browser asks which schemes are
    #	supported by the proxy.
    #
    #	auth_param negotiate keep_alive on
    #
    #	
    #	Examples:
    #
    ##Recommended minimum configuration per scheme:
    ##auth_param negotiate program <uncomment and="" complete="" this="" line="" to="" activate="">
    ##auth_param negotiate children 20 startup=0 idle=1
    ##auth_param negotiate keep_alive on
    ##
    ##auth_param ntlm program <uncomment and="" complete="" this="" line="" to="" activate="">
    ##auth_param ntlm children 20 startup=0 idle=1
    ##auth_param ntlm keep_alive on
    ##
    ##auth_param digest program <uncomment and="" complete="" this="" line="">
    ##auth_param digest children 20 startup=0 idle=1
    ##auth_param digest realm Squid proxy-caching web server
    ##auth_param digest nonce_garbage_interval 5 minutes
    ##auth_param digest nonce_max_duration 30 minutes
    ##auth_param digest nonce_max_count 50
    ##
    ##auth_param basic program <uncomment and="" complete="" this="" line="">
    ##auth_param basic children 5 startup=5 idle=1
    ##auth_param basic realm Squid proxy-caching web server
    ##auth_param basic credentialsttl 2 hours
    #Default:
    # none
    
    #  TAG: authenticate_cache_garbage_interval
    #	The time period between garbage collection across the username cache.
    #	This is a trade-off between memory utilization (long intervals - say
    #	2 days) and CPU (short intervals - say 1 minute). Only change if you
    #	have good reason to.
    #Default:
    # authenticate_cache_garbage_interval 1 hour
    
    #  TAG: authenticate_ttl
    #	The time a user & their credentials stay in the logged in
    #	user cache since their last request. When the garbage
    #	interval passes, all user credentials that have passed their
    #	TTL are removed from memory.
    #Default:
    # authenticate_ttl 1 hour
    
    #  TAG: authenticate_ip_ttl
    #	If you use proxy authentication and the 'max_user_ip' ACL,
    #	this directive controls how long Squid remembers the IP
    #	addresses associated with each user.  Use a small value
    #	(e.g., 60 seconds) if your users might change addresses
    #	quickly, as is the case with dialup.   You might be safe
    #	using a larger value (e.g., 2 hours) in a corporate LAN
    #	environment with relatively static address assignments.
    #Default:
    # authenticate_ip_ttl 0 seconds
    
    # ACCESS CONTROLS
    # -----------------------------------------------------------------------------
    
    #  TAG: external_acl_type
    #	This option defines external acl classes using a helper program
    #	to look up the status
    #
    #	  external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
    #
    #	Options:
    #
    #	  ttl=n		TTL in seconds for cached results (defaults to 3600
    #	  		for 1 hour)
    #	  negative_ttl=n
    #	  		TTL for cached negative lookups (default same
    #	  		as ttl)
    #	  children-max=n
    #			Maximum number of acl helper processes spawned to service
    #			external acl lookups of this type. (default 20)
    #	  children-startup=n
    #			Minimum number of acl helper processes to spawn during
    #			startup and reconfigure to service external acl lookups
    #			of this type. (default 0)
    #	  children-idle=n
    #			Number of acl helper processes to keep ahead of traffic
    #			loads. Squid will spawn this many at once whenever load
    #			rises above the capabilities of existing processes.
    #			Up to the value of children-max. (default 1)
    #	  concurrency=n	concurrency level per process. Only used with helpers
    #			capable of processing more than one query at a time.
    #	  cache=n	limit the result cache size, default is unbounded.
    #	  grace=n	Percentage remaining of TTL where a refresh of a
    #			cached entry should be initiated without needing to
    #			wait for a new reply. (default is for no grace period)
    #	  protocol=2.5	Compatibility mode for Squid-2.5 external acl helpers
    #	  ipv4 / ipv6	IP protocol used to communicate with this helper.
    #			The default is to auto-detect IPv6 and use it when available.
    #
    #	FORMAT specifications
    #
    #	  %LOGIN	Authenticated user login name
    #	  %EXT_USER	Username from previous external acl
    #	  %EXT_LOG	Log details from previous external acl
    #	  %EXT_TAG	Tag from previous external acl
    #	  %IDENT	Ident user name
    #	  %SRC		Client IP
    #	  %SRCPORT	Client source port
    #	  %URI		Requested URI
    #	  %DST		Requested host
    #	  %PROTO	Requested protocol
    #	  %PORT		Requested port
    #	  %PATH		Requested URL path
    #	  %METHOD	Request method
    #	  %MYADDR	Squid interface address
    #	  %MYPORT	Squid http_port number
    #	  %PATH		Requested URL-path (including query-string if any)
    #	  %USER_CERT	SSL User certificate in PEM format
    #	  %USER_CERTCHAIN SSL User certificate chain in PEM format
    #	  %USER_CERT_xx	SSL User certificate subject attribute xx
    #	  %USER_CA_xx	SSL User certificate issuer attribute xx
    #
    #	  %>{Header}	HTTP request header "Header"
    #	  %>{Hdr:member}
    #	  		HTTP request header "Hdr" list member "member"
    #	  %>{Hdr:;member}
    #	  		HTTP request header list member using ; as
    #	  		list separator. ; can be any non-alphanumeric
    #			character.
    #
    #	  %<{Header}	HTTP reply header "Header"
    #	  %<{Hdr:member}
    #	  		HTTP reply header "Hdr" list member "member"
    #	  %<{Hdr:;member}
    #	  		HTTP reply header list member using ; as
    #	  		list separator. ; can be any non-alphanumeric
    #			character.
    #
    #	  %ACL		The name of the ACL being tested.
    #	  %DATA		The ACL arguments. If not used then any arguments
    #			is automatically added at the end of the line
    #			sent to the helper.
    #			NOTE: this will encode the arguments as one token,
    #			whereas the default will pass each separately.
    #
    #	  %%		The percent sign. Useful for helpers which need
    #			an unchanging input format.
    #
    #	In addition to the above, any string specified in the referencing
    #	acl will also be included in the helper request line, after the
    #	specified formats (see the "acl external" directive)
    #
    #	The helper receives lines per the above format specification,
    #	and returns lines starting with OK or ERR indicating the validity
    #	of the request and optionally followed by additional keywords with
    #	more details.
    #
    #	General result syntax:
    #
    #	  OK/ERR keyword=value ...
    #
    #	Defined keywords:
    #
    #	  user=		The users name (login)
    #	  password=	The users password (for login= cache_peer option)
    #	  message=	Message describing the reason. Available as %o
    #	  		in error pages
    #	  tag=		Apply a tag to a request (for both ERR and OK results)
    #	  		Only sets a tag, does not alter existing tags.
    #	  log=		String to be logged in access.log. Available as
    #	  		%ea in logformat specifications
    #
    #	If protocol=3.0 (the default) then URL escaping is used to protect
    #	each value in both requests and responses.
    #
    #	If using protocol=2.5 then all values need to be enclosed in quotes
    #	if they may contain whitespace, or the whitespace escaped using \.
    #	And quotes or \ characters within the keyword value must be \ escaped.
    #
    #	When using the concurrency= option the protocol is changed by
    #	introducing a query channel tag infront of the request/response.
    #	The query channel tag is a number between 0 and concurrency-1.
    #Default:
    # none
    
    #  TAG: acl
    #	Defining an Access List
    #
    #	Every access list definition must begin with an aclname and acltype, 
    #	followed by either type-specific arguments or a quoted filename that
    #	they are read from.
    #
    #	   acl aclname acltype argument ...
    #	   acl aclname acltype "file" ...
    #
    #	When using "file", the file should contain one item per line.
    #
    #	By default, regular expressions are CASE-SENSITIVE.
    #	To make them case-insensitive, use the -i option. To return case-sensitive
    #	use the +i option between patterns, or make a new ACL line without -i.
    #
    #	Some acl types require suspending the current request in order
    #	to access some external data source.
    #	Those which do are marked with the tag [slow], those which
    #	don't are marked as [fast].
    #	See http://wiki.squid-cache.org/SquidFaq/SquidAcl
    #	for further information
    #
    #	***** ACL TYPES AVAILABLE *****
    #
    #	acl aclname src ip-address/mask ...	# clients IP address [fast]
    #	acl aclname src addr1-addr2/mask ...	# range of addresses [fast]
    #	acl aclname dst ip-address/mask ...	# URL host's IP address [slow]
    #	acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
    #
    #	acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
    #	  # The arp ACL requires the special configure option --enable-arp-acl.
    #	  # Furthermore, the ARP ACL code is not portable to all operating systems.
    #	  # It works on Linux, Solaris, Windows, FreeBSD, and some
    #	  # other *BSD variants.
    #	  # [fast]
    #	  #
    #	  # NOTE: Squid can only determine the MAC address for clients that are on
    #	  # the same subnet. If the client is on a different subnet,
    #	  # then Squid cannot find out its MAC address.
    #
    #	acl aclname srcdomain   .foo.com ...
    #	  # reverse lookup, from client IP [slow]
    #	acl aclname dstdomain   .foo.com ...
    #	  # Destination server from URL [fast]
    #	acl aclname srcdom_regex [-i] \.foo\.com ...
    #	  # regex matching client name [slow]
    #	acl aclname dstdom_regex [-i] \.foo\.com ...
    #	  # regex matching server [fast]
    #	  #
    #	  # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
    #	  # based URL is used and no match is found. The name "none" is used
    #	  # if the reverse lookup fails.
    #
    #	acl aclname src_as number ...
    #	acl aclname dst_as number ...
    #	  # [fast]
    #	  # Except for access control, AS numbers can be used for
    #	  # routing of requests to specific caches. Here's an
    #	  # example for routing all requests for AS#1241 and only
    #	  # those to mycache.mydomain.net:
    #	  # acl asexample dst_as 1241
    #	  # cache_peer_access mycache.mydomain.net allow asexample
    #	  # cache_peer_access mycache_mydomain.net deny all
    #
    #	acl aclname peername myPeer ...
    #	  # [fast]
    #	  # match against a named cache_peer entry
    #	  # set unique name= on cache_peer lines for reliable use.
    #
    #	acl aclname time [day-abbrevs] [h1]
    #	  # [fast]
    #	  #  day-abbrevs:
    #	  #	S - Sunday
    #	  #	M - Monday
    #	  #	T - Tuesday
    #	  #	W - Wednesday
    #	  #	H - Thursday
    #	  #	F - Friday
    #	  #	A - Saturday
    #	  #  h1:m1 must be less than h2:m2
    #
    #	acl aclname url_regex [-i] ^http:// ...
    #	  # regex matching on whole URL [fast]
    #	acl aclname urllogin [-i] [^a-zA-Z0-9] ...
    #	  # regex matching on URL login field
    #	acl aclname urlpath_regex [-i] \.gif$ ...
    #	  # regex matching on URL path [fast]
    #
    #	acl aclname port 80 70 21 0-1024...   # destination TCP port [fast]
    #	                                      # ranges are alloed
    #	acl aclname localport 3128 ...	      # TCP port the client connected to [fast]
    #	                                      # NP: for interception mode this is usually '80'
    #
    #	acl aclname myportname 3128 ...       # http(s)_port name [fast]
    #
    #	acl aclname proto HTTP FTP ...        # request protocol [fast]
    # 
    #	acl aclname method GET POST ...       # HTTP request method [fast]
    #
    #	acl aclname http_status 200 301 500- 400-403 ... 
    #	  # status code in reply [fast]
    #
    #	acl aclname browser [-i] regexp ...
    #	  # pattern match on User-Agent header (see also req_header below) [fast]
    #
    #	acl aclname referer_regex [-i] regexp ...
    #	  # pattern match on Referer header [fast]
    #	  # Referer is highly unreliable, so use with care
    #
    #	acl aclname ident username ...
    #	acl aclname ident_regex [-i] pattern ...
    #	  # string match on ident output [slow]
    #	  # use REQUIRED to accept any non-null ident.
    #
    #	acl aclname proxy_auth [-i] username ...
    #	acl aclname proxy_auth_regex [-i] pattern ...
    #	  # perform http authentication challenge to the client and match against
    #	  # supplied credentials [slow]
    #	  #
    #	  # takes a list of allowed usernames.
    #	  # use REQUIRED to accept any valid username.
    #	  #
    #	  # Will use proxy authentication in forward-proxy scenarios, and plain
    #	  # http authenticaiton in reverse-proxy scenarios
    #	  #
    #	  # NOTE: when a Proxy-Authentication header is sent but it is not
    #	  # needed during ACL checking the username is NOT logged
    #	  # in access.log.
    #	  #
    #	  # NOTE: proxy_auth requires a EXTERNAL authentication program
    #	  # to check username/password combinations (see
    #	  # auth_param directive).
    #	  #
    #	  # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
    #	  # as the browser needs to be configured for using a proxy in order
    #	  # to respond to proxy authentication.
    #
    #	acl aclname snmp_community string ...
    #	  # A community string to limit access to your SNMP Agent [fast]
    #	  # Example:
    #	  #
    #	  #	acl snmppublic snmp_community public
    #
    #	acl aclname maxconn number
    #	  # This will be matched when the client's IP address has
    #	  # more than <number> TCP connections established. [fast]
    #	  # NOTE: This only measures direct TCP links so X-Forwarded-For
    #	  # indirect clients are not counted.
    #
    #	acl aclname max_user_ip [-s] number
    #	  # This will be matched when the user attempts to log in from more
    #	  # than <number> different ip addresses. The authenticate_ip_ttl
    #	  # parameter controls the timeout on the ip entries. [fast]
    #	  # If -s is specified the limit is strict, denying browsing
    #	  # from any further IP addresses until the ttl has expired. Without
    #	  # -s Squid will just annoy the user by "randomly" denying requests.
    #	  # (the counter is reset each time the limit is reached and a
    #	  # request is denied)
    #	  # NOTE: in acceleration mode or where there is mesh of child proxies,
    #	  # clients may appear to come from multiple addresses if they are
    #	  # going through proxy farms, so a limit of 1 may cause user problems.
    #
    #	acl aclname random probability
    #	  # Pseudo-randomly match requests. Based on the probability given.
    #	  # Probability may be written as a decimal (0.333), fraction (1/3)
    #	  # or ratio of matches:non-matches (3:5).
    #
    #	acl aclname req_mime_type [-i] mime-type ...
    #	  # regex match against the mime type of the request generated
    #	  # by the client. Can be used to detect file upload or some
    #	  # types HTTP tunneling requests [fast]
    #	  # NOTE: This does NOT match the reply. You cannot use this
    #	  # to match the returned file type.
    #
    #	acl aclname req_header header-name [-i] any\.regex\.here
    #	  # regex match against any of the known request headers.  May be
    #	  # thought of as a superset of "browser", "referer" and "mime-type"
    #	  # ACL [fast]
    #
    #	acl aclname rep_mime_type [-i] mime-type ...
    #	  # regex match against the mime type of the reply received by
    #	  # squid. Can be used to detect file download or some
    #	  # types HTTP tunneling requests. [fast]
    #	  # NOTE: This has no effect in http_access rules. It only has
    #	  # effect in rules that affect the reply data stream such as
    #	  # http_reply_access.
    #
    #	acl aclname rep_header header-name [-i] any\.regex\.here
    #	  # regex match against any of the known reply headers. May be
    #	  # thought of as a superset of "browser", "referer" and "mime-type"
    #	  # ACLs [fast]
    #
    #	acl aclname external class_name [arguments...]
    #	  # external ACL lookup via a helper class defined by the
    #	  # external_acl_type directive [slow]
    #
    #	acl aclname user_cert attribute values...
    #	  # match against attributes in a user SSL certificate
    #	  # attribute is one of DN/C/O/CN/L/ST [fast]
    #
    #	acl aclname ca_cert attribute values...
    #	  # match against attributes a users issuing CA SSL certificate
    #	  # attribute is one of DN/C/O/CN/L/ST [fast]
    #
    #	acl aclname ext_user username ...
    #	acl aclname ext_user_regex [-i] pattern ...
    #	  # string match on username returned by external acl helper [slow]
    #	  # use REQUIRED to accept any non-null user name.
    #
    #	acl aclname tag tagvalue ...
    #	  # string match on tag returned by external acl helper [slow]
    #
    #	acl aclname hier_code codename ...
    #	  # string match against squid hierarchy code(s); [fast]
    #	  #  e.g., DIRECT, PARENT_HIT, NONE, etc.
    #	  #
    #	  # NOTE: This has no effect in http_access rules. It only has
    #	  # effect in rules that affect the reply data stream such as
    #	  # http_reply_access.
    #
    #
    #	Examples:
    #		acl macaddress arp 09:00:2b:23:45:67
    #		acl myexample dst_as 1241
    #		acl password proxy_auth REQUIRED
    #		acl fileupload req_mime_type -i ^multipart/form-data$
    #		acl javascript rep_mime_type -i ^application/x-javascript$
    #
    #Default:
    # ACLs all, manager, localhost, and to_localhost are predefined.
    #
    #
    # Recommended minimum configuration:
    #
    
    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    #acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
    #acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
    #acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
    #acl localnet src fc00::/7       # RFC 4193 local private network range
    #acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
    acl localnet src 192.168.0.0/16
    
    acl SSL_ports port 443
    acl Safe_ports port 80		# http
    acl Safe_ports port 21		# ftp
    acl Safe_ports port 443		# https
    acl Safe_ports port 70		# gopher
    acl Safe_ports port 210		# wais
    acl Safe_ports port 1025-65535	# unregistered ports
    acl Safe_ports port 280		# http-mgmt
    acl Safe_ports port 488		# gss-http
    acl Safe_ports port 591		# filemaker
    acl Safe_ports port 777		# multiling http
    acl CONNECT method CONNECT
    
    #  TAG: follow_x_forwarded_for
    #	Allowing or Denying the X-Forwarded-For header to be followed to
    #	find the original source of a request.
    #
    #	Requests may pass through a chain of several other proxies
    #	before reaching us.  The X-Forwarded-For header will contain a
    #	comma-separated list of the IP addresses in the chain, with the
    #	rightmost address being the most recent.
    #
    #	If a request reaches us from a source that is allowed by this
    #	configuration item, then we consult the X-Forwarded-For header
    #	to see where that host received the request from.  If the
    #	X-Forwarded-For header contains multiple addresses, we continue
    #	backtracking until we reach an address for which we are not allowed
    #	to follow the X-Forwarded-For header, or until we reach the first
    #	address in the list. For the purpose of ACL used in the
    #	follow_x_forwarded_for directive the src ACL type always matches
    #	the address we are testing and srcdomain matches its rDNS.
    #
    #	The end result of this process is an IP address that we will
    #	refer to as the indirect client address.  This address may
    #	be treated as the client address for access control, ICAP, delay
    #	pools and logging, depending on the acl_uses_indirect_client,
    #	icap_uses_indirect_client, delay_pool_uses_indirect_client, 
    #	log_uses_indirect_client and tproxy_uses_indirect_client options.
    #
    #	This clause only supports fast acl types.
    #	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
    #
    #	SECURITY CONSIDERATIONS:
    #
    #		Any host for which we follow the X-Forwarded-For header
    #		can place incorrect information in the header, and Squid
    #		will use the incorrect information as if it were the
    #		source address of the request.  This may enable remote
    #		hosts to bypass any access control restrictions that are
    #		based on the client's source addresses.
    #
    #	For example:
    #
    #		acl localhost src 127.0.0.1
    #		acl my_other_proxy srcdomain .proxy.example.com
    #		follow_x_forwarded_for allow localhost
    #		follow_x_forwarded_for allow my_other_proxy
    #Default:
    # X-Forwarded-For header will be ignored.
    
    #  TAG: acl_uses_indirect_client	on|off
    #	Controls whether the indirect client address
    #	(see follow_x_forwarded_for) is used instead of the
    #	direct client address in acl matching.
    #
    #	NOTE: maxconn ACL considers direct TCP links and indirect
    #	      clients will always have zero. So no match.
    #Default:
    # acl_uses_indirect_client on
    
    #  TAG: delay_pool_uses_indirect_client	on|off
    #	Controls whether the indirect client address
    #	(see follow_x_forwarded_for) is used instead of the
    #	direct client address in delay pools.
    #Default:
    # delay_pool_uses_indirect_client on
    
    #  TAG: log_uses_indirect_client	on|off
    #	Controls whether the indirect client address
    #	(see follow_x_forwarded_for) is used instead of the
    #	direct client address in the access log.
    #Default:
    # log_uses_indirect_client on
    
    #  TAG: tproxy_uses_indirect_client	on|off
    #	Controls whether the indirect client address
    #	(see follow_x_forwarded_for) is used instead of the
    #	direct client address when spoofing the outgoing client.
    #
    #	This has no effect on requests arriving in non-tproxy
    #	mode ports.
    #
    #	SECURITY WARNING: Usage of this option is dangerous
    #	and should not be used trivially. Correct configuration
    #	of follow_x_forewarded_for with a limited set of trusted
    #	sources is required to prevent abuse of your proxy.
    #Default:
    # tproxy_uses_indirect_client off
    
    #  TAG: http_access
    #	Allowing or Denying access based on defined access lists
    #
    #	Access to the HTTP port:
    #	http_access allow|deny [!]aclname ...
    #
    #	NOTE on default values:
    #
    #	If there are no "access" lines present, the default is to deny
    #	the request.
    #
    #	If none of the "access" lines cause a match, the default is the
    #	opposite of the last line in the list.  If the last line was
    #	deny, the default is allow.  Conversely, if the last line
    #	is allow, the default will be deny.  For these reasons, it is a
    #	good idea to have an "deny all" entry at the end of your access
    #	lists to avoid potential confusion.
    #
    #	This clause supports both fast and slow acl types.
    #	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
    #
    #Default:
    # Deny, unless rules exist in squid.conf.
    #
    
    #
    # Recommended minimum Access Permission configuration:
    #
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports
    
    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports
    
    # Only allow cachemgr access from localhost
    http_access allow localhost manager
    http_access deny manager
    
    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost
    
    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #
    
    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    #http_access allow localnet
    http_access allow localhost
    http_access allow localnet
    
    # And finally deny all other access to this proxy
    http_access deny all
    
    #  TAG: adapted_http_access
    #	Allowing or Denying access based on defined access lists
    #
    #	Essentially identical to http_access, but runs after redirectors
    #	and ICAP/eCAP adaptation. Allowing access control based on their
    #	output.
    #
    #	If not set then only http_access is used.
    #Default:
    # Allow, unless rules exist in squid.conf.
    
    #  TAG: http_reply_access
    #	Allow replies to client requests. This is complementary to http_access.
    #
    #	http_reply_access allow|deny [!] aclname ...
    #
    #	NOTE: if there are no access lines present, the default is to allow
    #	all replies.
    #
    #	If none of the access lines cause a match the opposite of the
    #	last line will apply. Thus it is good practice to end the rules
    #	with an "allow all" or "deny all" entry.
    #
    #	This clause supports both fast and slow acl types.
    #	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
    #Default:
    # Allow, unless rules exist in squid.conf.
    
    #  TAG: icp_access
    #	Allowing or Denying access to the ICP port based on defined
    #	access lists
    #
    #	icp_access  allow|deny [!]aclname ...
    #
    #	NOTE: The default if no icp_access lines are present is to
    #	deny all traffic. This default may cause problems with peers
    #	using ICP.
    #
    #	This clause only supports fast acl types.
    #	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
    #
    ## Allow ICP queries from local networks only
    ##icp_access allow localnet
    ##icp_access deny all
    #Default:
    # Deny, unless rules exist in squid.conf.
    
    #  TAG: htcp_access
    #	Allowing or Denying access to the HTCP port based on defined
    #	access lists
    #
    #	htcp_access  allow|deny [!]aclname ...
    #
    #	See also htcp_clr_access for details on access control for
    #	cache purge (CLR) HTCP messages.
    #
    #	NOTE: The default if no htcp_access lines are present is to
    #	deny all traffic. This default may cause problems with peers
    #	using the htcp option.
    #
    #	This clause only supports fast acl types.
    #	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
    #
    ## Allow HTCP queries from local networks only
    ##htcp_access allow localnet
    ##htcp_access deny all
    #Default:
    # Deny, unless rules exist in squid.conf.
    
    #  TAG: htcp_clr_access
    #	Allowing or Denying access to purge content using HTCP based
    #	on defined access lists.
    #	See htcp_access for details on general HTCP access control.
    #
    #	htcp_clr_access  allow|deny [!]aclname ...
    #
    #	This clause only supports fast acl types.
    #	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
    #
    ## Allow HTCP CLR requests from trusted peers
    #acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
    #htcp_clr_access allow htcp_clr_peer
    #htcp_clr_access deny all
    #Default:
    # Deny, unless rules exist in squid.conf.
    
    #  TAG: miss_access
    #	Determins whether network access is permitted when satisfying a request.
    #
    #	For example;
    #	    to force your neighbors to use you as a sibling instead of
    #	    a parent.
    #
    #		acl localclients src 192.0.2.0/24 2001:DB8::a:0/64
    #		miss_access deny  !localclients
    #		miss_access allow all
    #
    #	This means only your local clients are allowed to fetch relayed/MISS
    #	replies from the network and all other clients can only fetch cached
    #	objects (HITs).
    #
    #	The default for this setting allows all clients who passed the
    #	http_access rules to relay via this proxy.
    #
    #	This clause only supports fast acl types.
    #	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
    #Default:
    # Allow, unless rules exist in squid.conf.
    
    #  TAG: ident_lookup_access
    #	A list of ACL elements which, if matched, cause an ident
    #	(RFC 931) lookup to be performed for this request.  For
    #	example, you might choose to always perform ident lookups
    #	for your main multi-user Unix boxes, but not for your Macs
    #	and PCs.  By default, ident lookups are not performed for
    #	any requests.
    #
    #	To enable ident lookups for specific client addresses, you
    #	can follow this example:
    #
    #	acl ident_aware_hosts src 198.168.1.0/24
    #	ident_lookup_access allow ident_aware_hosts
    #	ident_lookup_access deny all
    #
    #	Only src type ACL checks are fully supported.  A srcdomain
    #	ACL might work at times, but it will not always provide
    #	the correct result.
    #
    #	This clause only supports fast acl types.
    #	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
    #Default:
    # Unless rules exist in squid.conf, IDENT is not fetched.
    
    #  TAG: reply_body_max_size	size [acl acl...]
    #	This option specifies the maximum size of a reply body. It can be
    #	used to prevent users from downloading very large files, such as
    #	MP3's and movies. When the reply headers are received, the
    #	reply_body_max_size lines are processed, and the first line where
    #	all (if any) listed ACLs are true is used as the maximum body size
    #	for this reply.
    #
    #	This size is checked twice. First when we get the reply headers,
    #	we check the content-length value.  If the content length value exists
    #	and is larger than the allowed size, the request is denied and the
    #	user receives an error message that says "the request or reply
    #	is too large." If there is no content-length, and the reply
    #	size exceeds this limit, the client's connection is just closed
    #	and they will receive a partial reply.
    #
    #	WARNING: downstream caches probably can not detect a partial reply
    #	if there is no content-length header, so they will cache
    #	partial responses and give them out as hits.  You should NOT
    #	use this option if you have downstream caches.
    #
    #	WARNING: A maximum size smaller than the size of squid's error messages
    #	will cause an infinite loop and crash squid. Ensure that the smallest
    #	non-zero value you use is greater that the maximum header size plus
    #	the size of your largest error page.
    #
    #	If you set this parameter none (the default), there will be
    #	no limit imposed.
    #
    #	Configuration Format is:
    #		reply_body_max_size SIZE UNITS [acl ...]
    #	ie.
    #		reply_body_max_size 10 MB
    #
    #Default:
    # No limit is applied.
    
    # NETWORK OPTIONS
    # -----------------------------------------------------------------------------
    
    #  TAG: http_port
    #	Usage:	port [mode] [options]
    #		hostname:port [mode] [options]
    #		1.2.3.4:port [mode] [options]
    #
    #	The socket addresses where Squid will listen for HTTP client
    #	requests.  You may specify multiple socket addresses.
    #	There are three forms: port alone, hostname with port, and
    #	IP address with port.  If you specify a hostname or IP
    #	address, Squid binds the socket to that specific
    #	address. Most likely, you do not need to bind to a specific
    #	address, so you can use the port number alone.
    #
    #	If you are running Squid in accelerator mode, you
    #	probably want to listen on port 80 also, or instead.
    #
    #	The -a command line option may be used to specify additional
    #	port(s) where Squid listens for proxy request. Such ports will
    #	be plain proxy ports with no options.
    #
    #	You may specify multiple socket addresses on multiple lines.
    #
    #	Modes:
    #
    #	   intercept	Support for IP-Layer interception of
    #			outgoing requests without browser settings.
    #			NP: disables authentication and IPv6 on the port.
    #
    #	   tproxy	Support Linux TPROXY for spoofing outgoing
    #			connections using the client IP address.
    #			NP: disables authentication and maybe IPv6 on the port.
    #
    #	   accel	Accelerator / reverse proxy mode
    #
    #	   ssl-bump	For each CONNECT request allowed by ssl_bump ACLs,
    #			establish secure connection with the client and with
    #			the server, decrypt HTTPS messages as they pass through
    #			Squid, and treat them as unencrypted HTTP messages,
    #			becoming the man-in-the-middle.
    #
    #			The ssl_bump option is required to fully enable
    #			bumping of CONNECT requests.
    #
    #	Omitting the mode flag causes default forward proxy mode to be used.
    #
    #
    #	Accelerator Mode Options:
    #
    #	   defaultsite=domainname
    #			What to use for the Host: header if it is not present
    #			in a request. Determines what site (not origin server)
    #			accelerators should consider the default.
    #
    #	   no-vhost	Disable using HTTP/1.1 Host header for virtual domain support.
    #
    #	   protocol=	Protocol to reconstruct accelerated requests with.
    #			Defaults to http for http_port and https for
    #			https_port
    #
    #	   vport	Virtual host port support. Using the http_port number
    #			instead of the port passed on Host: headers.
    #
    #	   vport=NN	Virtual host port support. Using the specified port
    #			number instead of the port passed on Host: headers.
    #
    #	   act-as-origin
    #			Act as if this Squid is the origin server.
    #			This currently means generate new Date: and Expires:
    #			headers on HIT instead of adding Age:.
    #
    #	   ignore-cc	Ignore request Cache-Control headers.
    #
    #			WARNING: This option violates HTTP specifications if
    #			used in non-accelerator setups.
    #
    #	   allow-direct	Allow direct forwarding in accelerator mode. Normally
    #			accelerated requests are denied direct forwarding as if
    #			never_direct was used.
    #
    #			WARNING: this option opens accelerator mode to security
    #			vulnerabilities usually only affecting in interception
    #			mode. Make sure to protect forwarding with suitable
    #			http_access rules when using this.
    #
    #
    #	SSL Bump Mode Options:
    #	    In addition to these options ssl-bump requires TLS/SSL options.
    #
    #	   generate-host-certificates[=<on|off>]
    #			Dynamically create SSL server certificates for the
    #			destination hosts of bumped CONNECT requests.When 
    #			enabled, the cert and key options are used to sign
    #			generated certificates. Otherwise generated
    #			certificate will be selfsigned.
    #			If there is a CA certificate lifetime of the generated 
    #			certificate equals lifetime of the CA certificate. If
    #			generated certificate is selfsigned lifetime is three 
    #			years.
    #			This option is enabled by default when ssl-bump is used.
    #			See the ssl-bump option above for more information.
    #			
    #	   dynamic_cert_mem_cache_size=SIZE
    #			Approximate total RAM size spent on cached generated
    #			certificates. If set to zero, caching is disabled. The
    #			default value is 4MB.
    #
    #	TLS / SSL Options:
    #
    #	   cert=	Path to SSL certificate (PEM format).
    #
    #	   key=		Path to SSL private key file (PEM format)
    #			if not specified, the certificate file is
    #			assumed to be a combined certificate and
    #			key file.
    #
    #	   version=	The version of SSL/TLS supported
    #			    1	automatic (default)
    #			    2	SSLv2 only
    #			    3	SSLv3 only
    #			    4	TLSv1.0 only
    #			    5	TLSv1.1 only
    #			    6	TLSv1.2 only
    #
    #	   cipher=	Colon separated list of supported ciphers.
    #			NOTE: some ciphers such as EDH ciphers depend on
    #			      additional settings. If those settings are
    #			      omitted the ciphers may be silently ignored
    #			      by the OpenSSL library.
    #
    #	   options=	Various SSL implementation options. The most important
    #			being:
    #			    NO_SSLv2    Disallow the use of SSLv2
    #			    NO_SSLv3    Disallow the use of SSLv3
    #			    NO_TLSv1    Disallow the use of TLSv1.0
    #			    NO_TLSv1_1  Disallow the use of TLSv1.1
    #			    NO_TLSv1_2  Disallow the use of TLSv1.2
    #			    SINGLE_DH_USE Always create a new key when using
    #				      temporary/ephemeral DH key exchanges
    #			    ALL       Enable various bug workarounds
    #				      suggested as "harmless" by OpenSSL
    #				      Be warned that this reduces SSL/TLS
    #				      strength to some attacks.
    #			See OpenSSL SSL_CTX_set_options documentation for a
    #			complete list of options.
    #
    #	   clientca=	File containing the list of CAs to use when
    #			requesting a client certificate.
    #
    #	   cafile=	File containing additional CA certificates to
    #			use when verifying client certificates. If unset
    #			clientca will be used.
    #
    #	   capath=	Directory containing additional CA certificates
    #			and CRL lists to use when verifying client certificates.
    #
    #	   crlfile=	File of additional CRL lists to use when verifying
    #			the client certificate, in addition to CRLs stored in
    #			the capath. Implies VERIFY_CRL flag below.
    #
    #	   dhparams=	File containing DH parameters for temporary/ephemeral
    #			DH key exchanges. See OpenSSL documentation for details
    #			on how to create this file.
    #			WARNING: EDH ciphers will be silently disabled if this
    #				 option is not set.
    #
    #	   sslflags=	Various flags modifying the use of SSL:
    #			    DELAYED_AUTH
    #				Don't request client certificates
    #				immediately, but wait until acl processing
    #				requires a certificate (not yet implemented).
    #			    NO_DEFAULT_CA
    #				Don't use the default CA lists built in
    #				to OpenSSL.
    #			    NO_SESSION_REUSE
    #				Don't allow for session reuse. Each connection
    #				will result in a new SSL session.
    #			    VERIFY_CRL
    #				Verify CRL lists when accepting client
    #				certificates.
    #			    VERIFY_CRL_ALL
    #				Verify CRL lists for all certificates in the
    #				client certificate chain.
    #
    #	   sslcontext=	SSL session ID context identifier.
    #
    #	Other Options:
    #
    #	   connection-auth[=on|off]
    #	                use connection-auth=off to tell Squid to prevent 
    #	                forwarding Microsoft connection oriented authentication
    #			(NTLM, Negotiate and Kerberos)
    #
    #	   disable-pmtu-discovery=
    #			Control Path-MTU discovery usage:
    #			    off		lets OS decide on what to do (default).
    #			    transparent	disable PMTU discovery when transparent
    #					support is enabled.
    #			    always	disable always PMTU discovery.
    #
    #			In many setups of transparently intercepting proxies
    #			Path-MTU discovery can not work on traffic towards the
    #			clients. This is the case when the intercepting device
    #			does not fully track connections and fails to forward
    #			ICMP must fragment messages to the cache server. If you
    #			have such setup and experience that certai
    ![Capture.PNG_thumb](/public/_imported_attachments_/1/Capture.PNG_thumb)
    ![Capture.PNG](/public/_imported_attachments_/1/Capture.PNG)[/h1]</on|off></number></number></uncomment></uncomment></uncomment></uncomment></integer></integer></condition>
    


  • Frankly I didn't read the long attachment  :-[ (squid.cof etc)
    Just looking at your basic explanation, everything is pretty obvious, for the same reason that, regardless of proxy location (from network standpoint), transparent proxy can't handle HTTPS unless you configure MITM which is, IMHO, something very bad, on the principle  :-X

    What would be, still IMHO, better as an approach is to understand what you exactly mean when stating "[i]…I want all http traffic from a specific alias forwarded through the external squid proxy without any configuration on the client side..."

    If goal is to avoid manual proxy configuration because you have plenty of client and such configuration generates administration overhead, then technical answer to this is WPAD.
    If goal is to silently intercept HTTP(S) flow, then this is another story and I'm afraid that MITM is the only solution  >:(



  • @chris4916:

    transparent proxy can't handle HTTPS

    At the moment, I'm not trying to do anything with HTTPS.

    What would be, still IMHO, better as an approach is to understand what you exactly mean when stating "…I want all http traffic from a specific alias forwarded through the external squid proxy without any configuration on the client side..."

    Instead of forwarding all LAN traffic through the proxy, an inverse rule will be used to only forward http from IPs that aren't within the alias. This is merely a matter of changing the source on the NAT rule and isn't related to my problem.

    If goal is to avoid manual proxy configuration because you have plenty of client and such configuration generates administration overhead, then technical answer to this is WPAD.

    I'll look into this, but I hope it's not necessary.

    If goal is to silently intercept HTTP(S) flow, then this is another story and I'm afraid that MITM is the only solution  >:(

    Another option I considered was setting the default gateway given out to the LAN to the Squid proxy and then manually assigning the gateway to my pfSense box on all trusted IPs, but this seemed like an unnecessarily complex approach if it's possible to simply route http from untrusted IPs through the Squid proxy. Really, all of this is being configured to perform traffic manipulation like upside-down-ter-net on guests before I add them to the trusted IP list.  I figured it's a fun way to learn a little more about using pfsense, squid, apache, and linux as well as learning how to properly apply general networking concepts.



  • @Sea:

    If I set the proxy to non-transparent and manually enter the proxy in the browser, it works.  If I set the proxy to non-transparent mode and use the NAT rule to forward http to squid port on the proxy, http requests return Invalid URL. If I try to use transparent mode and have NAT forward to port 80 I get 'Access denied'.

    What is not clear to me is that when using explicit proxy (meaning non-transparent) you shouldn't need any NAT isn't it?
    Your client (e.g.) browser is on 192.168.0.0/24 network, sends request to proxy on 192.168.1.0/24 network through pfSense, proxy retrieves URL and sends back to browser. That's pretty straightforward unless there is something I miss.

    You should perhaps clarify what you mean with "If I set the proxy to non-transparent mode and use the NAT" because this has 2 aspects:

    • Squid configuration (is your proxy configured to work as explicit or transparent proxy?)
    • browser configuration (have you configured your browser to rely on proxy or not?)

    If you intend to use explicit proxy, it has to be done on each side accordingly. Setting proxy as explicit only on one side and redirecting request to it (e.g. if nothing is done client side) will not work because browser will not expect dialogue with proxy.

    To me, you can only explore 2 different paths:

    • explicit proxy on each side
    • transparent proxy one each side

    Anything else is going to fail (as far as I understand)

    Now that I understand better your goal (I hope), what you intend to do is to implement transparent proxy with:

    • proxy not running on pfSense itself
    • redirection triggered for only some specific source IPs

    Did you look at this already?



  • @chris4916:

    If you intend to use explicit proxy, it has to be done on each side accordingly. Setting proxy as explicit only on one side and redirecting request to it (e.g. if nothing is done client side) will not work because browser will not expect dialogue with proxy.

    I suspected this might be the case. I want it to be transparent.

    Now that I understand better your goal (I hope), what you intend to do is to implement transparent proxy with:

    • proxy not running on pfSense itself
    • redirection triggered for only some specific source IPs

    Did you look at this already?

    I did look at that page, but it addresses iptables running on a different machine than squid. I guess what I need to know is if there is some special handling of the traffic that needs to happen directly on the pfsense box beyond simply forwarding the traffic, or should I just apply those same iptables rules directly on my squid box?



  • It addresses iptables running on default gateway (pfSense in your set-up) and potentially on Squid machine too (case #2)

    Basically, what I understand from this howto is that you have 2 ways to achieve this:

    • one with iptables rules on default gateway only but with potentially some side effect
    • one with rules on default gateway AND Squid server

    What it doesn't cover that is, BTW, specific to your request is customization required to apply routing to only some source IPs.



  • Thank you so much for your help. It seems that the simplest solution for me would be to put my wireless access point and squid proxy on their own subnet with squid set as the default gateway for OPT1. This will still have the drawback that even my trusted wireless devices are routed through squid, but I think it's the best I can do for now. Would you agree that a wireless access point that supports multiple SSIDs and VLANs be the best solution for this type of configuration?



  • I would say yes but have to admit that I don't understand the need for proxy only for "untrusted" devices  :-[
    If goal is to bring antivirus control, which is something I do support, I would do it for all devices  ;)

    EDIT: BTW, I never did it (mainly because I'm not very prone to deploy any transparent proxy) but I remember I read long time ago document describing how to deploy Squid as both explicit and transparent proxy. You should be able to find it easily, in case it helps to solve your problem.



  • @chris4916:

    I would say yes but have to admit that I don't understand the need for proxy only for "untrusted" devices  :-[
    If goal is to bring antivirus control, which is something I do support, I would do it for all devices  ;)
    [/quote]

    This is my home network. This is all just for pranking guests with MITM perl scripts before allowing them to connect directly through the real gateway. "Untrusted" in this case just means they haven't been given the ability to do that yet. I am interested in antivirus, but the last couple times I've tried HAVP, I've had problems.



  • I figured this out (or so I think)…

    1. Set up squid (adapted from http://www.squid-cache.org/Doc/config/http_port/)

    Edit squid.conf

    • modify the http_port direct to include accel and allow-direct.

    2. Add a port forward / destination nat rule (adapted from https://forum.pfsense.org/index.php?topic=39736.0)

    GUI -> NAT -> Port Forward tab > Add rule
    Interface: LAN
    Protocol: TCP
    Source: NOT <ip of="" squid="" box="">Source port range: any
    Destination: up to you
    Destination port range: from HTTP to HTTP
    Redirect target IP: <ip of="" squid="" box="">Redirect target port: <squid 3128="" port="">3. Add an outbound / source nat rule (adapted from http://tldp.org/HOWTO/TransparentProxy-6.html#ss6.1)

    GUI -> NAT -> Outbound > add rule
    Interface: LAN
    Protocol: TCP
    Source: Network / your LAN Net  ie 192.168.1.0/24
    Destination: <ip of="" squid="" box="">Destination port: <squid 3128="" port="">Translation: Interface address

    No separate interface / subnet for the squid box required.</squid></ip></squid></ip></ip>


Log in to reply