[strongSwan] Connect strongSwan and Squid on same server

Moataz Elmasry moataz.elmasry2 at gmail.com
Thu Jan 19 11:41:10 CET 2017

Hi Varun,

No this is a misunderstanding, the link you show states that the error 
is a 400 error:invalid-request, while you are getting a 403 TCP_DENIED, 
which means that the traffic passed through strongswan, redirected to 
3128 unmangled with, that Squid was successfully able to read it and 
deny it.
The squid conf you showed has a couple of issues, in squid define 
everything you need explicitly instead of "allow all" for better 
reading, also in nowhere did you enable the intercept mode.Here's a 
minimum example that hopefully will work:

acl localnet src    # RFC1918 possible internal network
acl localnet src    # RFC1918 possible internal network
acl localnet src    # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 443        # https
#acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
#acl Safe_ports port 280        # http-mgmt
#acl Safe_ports port 488        # gss-http
#acl Safe_ports port 591        # filemaker
#acl Safe_ports port 777        # multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
http_access allow all

http_port 3127
http_port 3128 intercept

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

Hope this helps.

P.s. @admins Please don't shoot me for sharing a squid example on 

More information about the Users mailing list