44.13. Setting Up a Transparent Proxy

A transparent proxy is one that clients connect to without being aware of it, due to the use of firewall rules that redirect connections on port 80 to the proxy system. The advantage of this setup is that you do not have to manually configure all web clients to use the proxy. Instead, they will be connected to it without their knowledge. It also means that users cannot get around the cache and thus avoid its access control rules by not configuring it in their browsers.

Transparent proxying has some down sides to it, however. It is not possible to automatically capture FTP or HTTPS connections, or those to web sites on ports other than 80. It is also incompatible with proxy authentication, as clients cannot tell the difference between the proxy's request to log in and that of a website. Even though authentication may appear to work, it really does not.

Most networks have a router that connects an internal LAN to the Internet. For transparent proxying to work, this router must be configured to redirect outgoing packets on port 80 to the Squid proxy host and port instead. On a small network, the proxy can even be run on the same router host. The IPtables firewall that comes with Linux can perform both kinds of redirection using special DNAT (Destination Network Address Translation) rules in the nat table.

Because most of the work is actually done by the firewall rules that redirect outgoing packets, the instructions for setting up everything are in Chapter 19 “Firewall Configuration” in Section 19.8 “Setting Up a Transparent Proxy”. They are, however, written for Linux users who have IPtables installed. If your router is running a different operating system (or is a dedicated router, such as one made by Cisco), the steps for creating firewall rules obviously will not apply. Those rules for the Squid Proxy Server module, however, are the same no matter what kind of firewall you are running.