Transparent proxy probs...

From: Adrian Bool <>
Date: Fri, 21 Nov 1997 15:37:36 +0000 (GMT)

Hi all,

I'm trying to set up a transparent http proxy - first to evaluate how
bad it is ;-) Any experiances would be warmly recieved...

Our data is passing thrugh a cisco router that I am policy routing
to a Soalris 2.6 Sparc.

On the Sparc is ipfilter v3.2.

If I set up the nat part of ip filter to,

rdr hme0 port 80 -> port finger

And telnet from a device on the other side of the cisco to the http
port of any machine I get connected to the finger port of the sparc.

All OK so far ;-)

Now, I alter the nat to,

rdr hme0 port 80 -> port 81

An rung squid on port 81, with a config of, (comments greped out..)

http_port 81
icp_port 3130
hierarchy_stoplist cgi-bin ?
cache_stoplist cgi-bin ?
cache_mem 32
cache_swap 15000
maximum_object_size 16000
cache_dir /var/opt/spool/squid/cache
cache_access_log /var/opt/log/squid/access.log
cache_log /var/opt/log/squid/cache.log
cache_store_log /var/opt/log/squid/store.log
pid_filename /opt/squid/
debug_options ALL,1
ftpget_program /opt/squid/bin/ftpget
ftpget_options -n 60 -R -W
cache_dns_program /opt/squid/bin/dnsserver
dns_children 15
unlinkd_program /opt/squid/bin/unlinkd
acl manager proto cache_object
acl localhost src
acl all src
acl SSL_ports port 443 563
acl Dangerous_ports port 7 9 19
http_access deny manager !localhost
http_access deny CONNECT !SSL_ports
http_access deny Dangerous_ports
http_access allow all
icp_access allow all
miss_access allow all
cache_effective_user squid sysadmin
httpd_accel virtual 80
minimum_direct_hops 4

Now when I telnet to a port 80 from the other side of the server
I get,

nas1.is4#telnet 80
Trying, 80 ... Open
GET / HTTP/1.0

HTTP/1.0 400 Cache Detected Error
Server: squid/1.1.16
Date: Fri, 21 Nov 1997 14:06:34 GMT
Expires: Fri, 21 Nov 1997 14:11:34 GMT
Last-Modified: Fri, 21 Nov 1997 14:06:34 GMT
Content-Type: text/html
Content-Length: 604

<TITLE>ERROR: The requested URL could not be retrieved</TITLE></HEAD><BODY>
<H2>The requested URL could not be retrieved</H2>
While trying to retrieve the URL:
<A HREF=""></A><P>
The following error was encountered:
<LI><STRONG>Connection Failed</STRONG>

<P>The system returned:
<PRE><I> (146) Connection refused</I>
<P>This means that:

The remote site or server may be down. Please try again soon.

<ADDRESS>Generated by squid/1.1.16@serv1.is4</ADDRESS></BODY></HTML>
[Connection to closed by foreign host]

As you can se ethe address is the same one that I
have translated to - ie. squid does not seem to be doing any 'clever'
lookup of the original ip address.

Looking in squid's source (squid-1.1.16/src/icp.c) line 1654) it doesn't seem
it is doing a special lookup (as per the proxy.c program in the samples
dorectory of IP Filter.)

Am I missing something here? Next sensible step would be to merge the
proxy.c code into squid and it may work then - but I can't help but feel that
is has been done before and I'm just not seeing it...

Thanks for any help,


Adrian J Bool			|
Network Operations		|
U-NET Ltd, UK			| tel://44.1925.484461/
Received on Fri Nov 21 1997 - 07:45:35 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:41 MST