Transparent Squid Proxy with SRX

This post is showing a simple destination NAT rule in which how you can use a transparent squid proxy to which you redirect your clients’ HTTP requests.


Our client device’s HTTP requests will be redirected to our Squid Proxy server on this topology i.e hostF won’t need any config for its requests to be proxied.

First we create source NAT rules for squid proxy itself and our clients for them to reach Internet.

We need security policies to allow traffic from HOSTS zone to SERVERS zone and from these zones towards Internet as well.
What we do is that we allow HOSTS to reach DNS resources only.

and now the real redirection comes in here. We redirect all requests for port 80 to squid server.

In my test I am using squid 2.7 on debian with the following config so that it listens on 8080 and allows my HOSTS network.

Let’s access to from hostF.

If we get the flow session (ID: 1250) at the same time, we can see that request to port 80 is actually forwarded to (squid server)

As it is seen in the output, we have two 80 port sessions. The other one is from squid proxy itself for the same request.

If we check our squid access log, we can also see the request


3 thoughts on “Transparent Squid Proxy with SRX

  1. Jorge

    Hi, thanks for you post, but i have a question, why not work on my topology. I have the same configuration but squid rejects me the connections with NONE / 400Invalid URL Error. The NAT forwarding traffic http works, but my squid dont permit redirect packet to Internet. appreciate your help. Regards

  2. rtoodtoo Post author

    That looks like a squid config issue Jorge. Not sure why you are getting that. I used 2.7 squid in my tests. Better to double check the config.

  3. AK

    HI! As started in version 3.1 squid handles the packets different that before. Now destination nat is only accepted on the squidbox self. however use routing to get the orginal source and destination traffic at the squid box.


You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.