I'm working on a security project which requires a remotely-accessible transparent proxy. I have set up an Azure VM running Ubuntu 18.04 with squid running as a transparent proxy. I'm only concerned with routing external HTTP traffic through the proxy. The client that will connect to the proxy has a DNS server configured which spoofs all requests to the IP of the VM.
The issue with the configuration is that squid is not transparently proxying HTTP requests according to their Host header, and is instead trying to connect to their original destination IP address (i.e. back to itself). As a result, when accessing an HTTP website (using http://scratchpads.org as an example) on the client, the following error is observed:
The following error was encountered while trying to retrieve the URL: http://scratchpads.org/
Connection to 10.0.1.4 failed
The system returned: (111) Connection refused
Where 10.0.1.4 is the internal IP of the VM.
The squid configuration is kept minimal for testing purposes:
http_access allow all
http_port 3129
http_port 3128 intercept
The iptables configuration on the VM to forward external traffic through squid is as follows:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
The squid access log when trying to access the website looks as follows:
1614856056.293 0 [request source IP] TCP_MISS/503 4310 GET http://scratchpads.org/ - ORIGINAL_DST/10.0.1.4 text/html
1614856056.619 0 [request source IP] TCP_MISS/503 4218 GET http://scratchpads.org/favicon.ico - ORIGINAL_DST/10.0.1.4 text/html
I've checked that DNS requests are resolved properly on the VM, and traffic originating from the machine does not get routed through squid (as desired), so there is no forwarding loop. There are also no errors in the squid startup logs, cache logs, or access logs. I've also tried various squid ACLs, and iptables configurations (setting up DNAT and masquerading rules) to no effect.
Does anyone know how I can get the HTTP requests to be proxied to their original destination according to their Host header, and not back to the IP of the transparent proxy?
