Re: Cisco redirection working

From: Henrik Nordstrom <>
Date: Sun, 08 Feb 1998 16:04:37 +0100

Graham Somers wrote:
> Hi
> If you could take the time to give a short rundown on your steps to
> getting your Cisco redirection working I, and I'm sure others, would
> appreciate it. I have been following the topic but seem to have left
> out something vital.

Ok, here is how I would go about to make transparent proxying:

1. Configure the Squid process as a accelerator and proxy. Transparent
proxying is the same as acceleration of all internet hosts.
2. Get the HOST to transparently accept ANY port 80 traffic and send
them to the Squid process. This is how a transparent proxy differs from
a plain httpd accelerator.
3. Set up the routing to pass port 80 traffic throught the proxy host.

---- Details on step 1, configure squid 1.1.X ----
In squid.conf you write
  httpd_accel virtual 80
  httpd_accel_with_proxy on
  httpd_accel_uses_host_header on

And patch src/icp.c function parseHttpRequest so that the acceleration
part looks like
        /* prepend the accel prefix */
        if (opt_accel_uses_host && ...
        } else if (vhost_mode) {
instead of the other way around.
A patch that does this is available from
(cd to main directory, and patch -p1 <patchfile")

This patch is needed to accelerate both Host: based virtual servers, and
simple clients not sending Host: headers. Without the patch one of them
corrupts the cache or fails (which one depends on what you write in
squid.conf, and the most likely bet is that virtual servers get

---- Details on step 1, configure squid 1.2 ----
In squid.conf you write
  httpd_accel_host virtual
  httpd_accel_with_proxy on
  httpd_accel_uses_host_header on

no patching required.

---- Details on step 2, accepting port 80 traffic -----
The HOST needs to transparently accept port 80 traffic from the clients,
and hand it off to the Squid process. This needs some modifications to
the TCP/IP processing on the host, and can't be done from inside Squid.

On Linux this modifications is done with the ipfwadm -r option (requires
IP Firewalling to be compiled in the kernel).
  # First some safe-guard rules to prevent looping
  ipfwadm -I -a accept -W lo
  ipfwadm -I -a accept -S thishost
  ipfwadm -I -a accept -D thishost
  # Then the magic rule that forwards traffic to the Squid process
  ipfwadm -I -a accept [-S clientnet/mask] -D 0/0 80 -r 3128

On some other OS:es you can use ipfilter to do a similar thing, but I
have no experience of it (I am sure others have).

The easies way to test if you have done everyting correcly so far is to
have a station in the same network as the Squid host, and set the
routing on that station to use the Squid host instead of your normal
router. Then "telnet 80" and type HELLO<enter>, and you should
see a error message from squid. Then telnet "proxy-host 80", and check
that you get connection refused (or connected to the local HTTP server
if any).

---- Details on step 3, routing ----

This can be done in two ways, either set up a route-map on the router,
or use the proxy-host as a router. Most people prefer to have the router
remap port 80 traffic to a separate proxy machine, as the proxy machine
has a higher failure ratio then a typical router...

A Cisco config resently shown in squid-users ("Graham Somers"
  interface Ethernet0
  description To Office Ethernet
  ip address
  no ip directed-broadcast
  no ip mroute-cache
  ip policy route-map proxy-redir
  access-list 110 deny tcp host any eq www
  access-list 110 permit tcp any any eq www
  route-map proxy-redir permit 10
  match ip address 110
  set ip next-hop

There are however a few gotchas when doing transparent proxying. The
most prominent one is that the MTU of the interface talking to the
clients needs to be set to the lowest MTU possible in the patch between
the Squid host and the clients (including their dialup connection). I
have seen on this list that someone did solve this with a patched
ipfilter(?) and a route-map to redirect ICMP to the Squid host. In most
situations this is no problem as most links have MTU 1500, but some
likes to use smaller MTUs to support mixed traffic on slow links. A easy
path around the problem is to tell those few that use a smaller MTU to
fill in their proxy settings in the browser.

Henrik Nordström
Sparetime Squid Hacker
Received on Sun Feb 08 1998 - 07:11:51 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:38:48 MST