[Chilli] Squid transparent proxy on same server

Isidor Zeuner chilli at quidecco.de
Fri Apr 16 23:57:20 UTC 2010

Hi Jason,

> >
> > I have used the "squid on the same box as chilli" scenario with squid
> > listening on virtual IPs on the block (because I had to
> > have squid distinguish between different configurations based on these
> > IPs), but I don't see why shouldn't work, too.
> >
> Interesting. My concern is that if I have squid listening on the ethernet
> adapter (or ip range) that the wireless clients are using, then wouldn't
> they be able to bypass chilli and it's authentication altogether by
> assigning the squid server directly within their browser?
> Scenario ... chilli, dhcp, squid is on the one box called
> wireless.mydomain.com. If the authenticated wireless client configures their
> browser to us a proxy on wireless.mydomain.com:3128, then would they be able
> to bypass chilli (and authentication) altogether? That's why my thinking is
> that I would only want squid listening on the localhost and not on the
> ethernet or ip range that wireless clients are using?

Chilli would probably prevent this on its DHCP device, as it puts the
device in promiscuous mode and processes the raw packets before they
reach squid. Still, I would not want to take such a risk by having
to-be-protected services running on the client subnet. Instead, I
created a virtual subnet on a tap device which the clients never
access directly.

> > With debug logging enabled, chilli will diagnostics like "rewriting
> > packet for post-auth proxy..." when using the proxy setting, which
> > might help to test your configuration.
> >
> I will give this a try and see what it reveals.

All the best on this.

Best regards,


More information about the Chilli mailing list