Skip to content

Instantly share code, notes, and snippets.

Created April 7, 2016 09:28
Show Gist options
  • Save m4ce/b86de17ca447a4c77f7918752154f620 to your computer and use it in GitHub Desktop.
Save m4ce/b86de17ca447a4c77f7918752154f620 to your computer and use it in GitHub Desktop.
Transparent proxy with Squid and IPTables
# Rules for transparent proxying
iptables -N NO_PROXY -t nat
iptables -A NO_PROXY -t nat -d -j ACCEPT
iptables -A NO_PROXY -t nat -d -j ACCEPT
iptables -A NO_PROXY -t nat -d -j ACCEPT
iptables -A NO_PROXY -t nat -d -j ACCEPT
iptables -A NO_PROXY -t nat -d -j ACCEPT
iptables -A NO_PROXY -t nat -d -j ACCEPT
iptables -A NO_PROXY -t nat -d -j ACCEPT
iptables -A NO_PROXY -t nat -d -j ACCEPT
iptables -A NO_PROXY -t nat -j RETURN
iptables -A PREROUTING -t nat -p tcp --dport 80 -j NO_PROXY
iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -A PREROUTING -t nat -p tcp --dport 443 -j NO_PROXY
iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-ports 3130
ssl_bump splice all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/ca.crt key=/etc/squid/ssl/ca.key
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
never_direct allow all
cache_peer <proxt=y> parent <port> 0 no-query no-digest default
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment