Precautions for using Linux transparent proxy

Precautions for using Linux transparent proxy-Linux Enterprise Application-Linux server application information. For details, refer to the following section. For some reason, you need to record your web access logs, so Squid is used to record access logs on port 80, and Squid also has the cache function.

First, compile some precautions for Squid, for example, setting ulimit is omitted.
Modify the startup script and set the ulimit parameter before startup.

Modify the squid. conf file:
========================================================== ===
--- Squid. conf. default 08:43:48. 000000000 + 0800
++ Squid. conf 18:09:49. 000000000 + 0800
@-51,6 + 51,7 @@
# You cannot only listen for 127.0.0.1: 3128
# Default:
# Http_port 3128
+ Http_port 3128

# TAG: https_port
# Usage: [ip:] port cert = certificate. pem [key = key. pem] [options...]
@-107,6 + 108,7 @@
#
# Default:
# Icp_port 3130
+ Icp_port 0

# TAG: htcp_port
# Note: This option is only available if Squid is rebuilt with
@-479,6 + 481,7 @@
#
# Default:
# Cache_mem 8 MB
+ Cache_mem 128 MB

# TAG: cache_swap_low (percent, 0-100)
# TAG: cache_swap_high (percent, 0-100)
@-529,6 + 532,7 @@
#
# Default:
# Maximum_object_size_in_memory 8 KB
+ Maximum_object_size_in_memory 20 KB

# TAG: ipcache_size (number of entries)
# TAG: ipcache_low (percent)
@-693,7 + 697,7 @@
# (Hard coded at 1 MB ).
#
# Default:
-# Cache_dir ufs/var/spool/squid 100 16 256
+ Cache_dir ufs/var/spool/squid 256 16 256

# TAG: cache_access_log
# Logs the client request activity. Contains an entry
@-709,6 + 713,7 @@
#
# Default:
# Cache_log/var/log/squid/cache. log
+ Cache_log/dev/null

# TAG: cache_store_log
# Logs the activities of the storage manager. Shows which
@-719,6 + 724,7 @@
#
# Default:
# Cache_store_log/var/log/squid/store. log
+ Cache_store_log none

# TAG: cache_swap_log
# Location for the cache "swap. state" file. This log file holds
@-856,6 + 862,7 @@
#
# Default:
# Ftp_user Squid @
+ Ftp_user user@test.com

# TAG: ftp_list_width
# Sets the width of ftp listings. This shoshould be set to fit in
@-1942,8 + 1949,8 @@
# Example rule allowing access from your local networks. Adapt
# To list your (internal) IP networks from where browsing shold
# Be allowed
-# Acl our_networks src 192.168.1.0/24 192.168.2.0/24
-# Http_access allow our_networks
+ Acl our_networks src 10.0.0.0/8
+ Http_access allow our_networks

# And finally deny all other access to this proxy
Http_access allow localhost
@-2290,6 + 2297,8 @@
# Check the annotations. This is required.
# Default:
# Httpd_accel_port 80
+ Httpd_accel_host virtual
+ Httpd_accel_port 80

# TAG: httpd_accel_single_host on | off
# If you are running Squid as an accelerator and have a single backend
@-2308, 6 + 2317,7 @@
#
# Default:
# Httpd_accel_single_host off
+ Httpd_accel_single_host off

# TAG: httpd_accel_with_proxy on | off
# If you want to use Squid as both a local httpd accelerator
@-2319,6 + 2329,7 @@
#
# Default:
# Httpd_accel_with_proxy off
+ Httpd_accel_with_proxy off

# TAG: httpd_accel_uses_host_header on | off
# HTTP/1.1 requests include a Host: header which is basically
@-2339,6 + 2350,7 @@
# This must also be enabled.
# Default:
# Httpd_accel_uses_host_header off
+ Httpd_accel_uses_host_header on

# TAG: httpd_accel_no_pmtu_disc on | off
# In each setups of transparently intercepting proxies Path-MTU
@-2491,6 + 2503,7 @@
# To prevent some websites from being accessed by some users using proxies, disable
# Default:
# Forwarded_for on
+ Forwarded_for off

# TAG: log_icp_queries on | off
# If set, ICP queries are logged to access. log. You may wish
========================================================== ======================================

Iptables configuration:

Iptables-t nat-a prerouting-s 10.0.0.0/8-I eth1-p tcp-m tcp -- dport 80-j REDIRECT -- to-ports 3128
Iptables-a input-s 10.0.0.0/8-I eth1-p tcp-m tcp -- dport 3128-j ACCEPT

Note the settings in INPUT.