Use Squid to Proxy HTTP/S Outbound Traffic From One Host Through Another
I have two Linodes. Linode A is running Squid 3.5 and Linode B is a generic server.
I'd like to get things setup so that all of the OUTBOUND HTTP(S) traffic from Linode B goes through Linode A's Squid. This is my first time using Squid.
I believe I have Squid setup correctly but when I use iptables to redirect traffic from Linode B to Linode A, that traffic doesn't seem to use the proxy - I don't see anything in Squid's access.log so something is not correct.
I have Squid setup to handle HTTP on 3129 and HTTPS on 3130 and using netstat I can see it has bound to those ports. I setup the IP of Linode B in Squid as part of the localnet which is allowed to do HTTP.
Back on Linode B, I am using iptables as such to try to test this with HTTP:
iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to A.A.A.A:3129
The problem is that after adding this rule, my outbound HTTP traffic doesn't appear to be going through the proxy. It appears to be leaving as normal - I don't see anything in the Squid access logs but something like: curl http://www.bigsite.com still succeeds - I would have expected it to go through the proxy.
So I'm not sure if I've got something going wrong with Squid or my iptables routing. Right now it seems like the latter since it feels like nothing is happening / getting routed to Squid.
Any ideas? What am I doing wrong?
Hey @hunterhillegas. After doing a little digging around, it sounds like there could be a few factors that could affect this. I admittedly haven't tried to do this myself, but I found a few posts that hopefully help you narrow down the issue.
This tutorial from Diladele has a pretty in-depth overview of routing HTTP and HTTPS traffic to a proxy using iptables. If nothing else, it really does a nice job going over the different rule sets:
Here's a Stack Overflow article where a user was looking to direct traffic from multiple servers to a separate proxy server. Looks like they were able to do it with some pretty simple rules, and they were able to confirm it in their logs:
And saving the best for last, it sounds like this user was looking to do the same thing over a specific port. The fix here looked to be changing the chain from
OUTPUT and setting up the proxy server to transparent proxy mode:
Hope something in there works!