Re: Transparent proxy, ip-filter, solaris

From: Henrik Nordstrom <>
Date: Mon, 23 Mar 1998 23:18:38 +0100

Sherif Diaa El-Din - Email wrote:

> I installed ip-filter package on solaris 2.4 and added the rule in ipnat
> rdr le0 80 -> <localhost> port 3128 tcp

> http_port 3128
> icp_port 3130
> httpd_accel virtual 3128
> httpd_accel_with_proxy on

add "httpd_accel_uses_host_header on" here... If a Host: header is
available in the request then it should be used (that's why you applied
the patch in the first place).

> now requests try to contact the httpd server on port 80 on
> localhost, but since there isn't one installed , squid returns
> error message connection refused to the ip of the same solaris
> machine , seems it does not understand that a remote host is
> the one requested

The standard "virtual-support" code in Squid requires that getsockname()
returns the intended destination address. If this is not true for your
"reverse-NAT" package then you have to hack the squid sources somewhat
to get the correct destination IP. I know others have done this for
IP-Filter, but I have not seen any Squid patches.. Anyone using
httpd_accel virtual and ipfilter and willing to share the

Until virtual support is available for your NAT package:

* Only 1.0++ browsers (sending Host: header which is a 1.1 feature) can
be supported, since if there is no Host: header, and Squid can't get the
correct destination address from the connection then it is very hard for
Squid to know where to go..

* You need a special page for the users with old browsers, telling them
than they need to upgrade to a new browser (and how to do that). Put
this page (and browser upgrade files) in a special directory on one of
your web servers ( in the

* Recommended squid.conf if httpd_accel virtual can't be supported on
your platform:

httpd_accel oldbrowser 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

A small redirector that redirects oldbrowser to the special page,
allowing them to also download the browser upgrades:

while(<>) {
  if ( m%^http://oldbrowser:80/% ) {
    if ( m%http://oldbrowser:80/broserupgrades/r% ) {
      # Browser upgrades are available from
    } else {
      # On all other unknown files, return the upgrade page
      s/^[^ ]*/$upgradenotice/;
} continue {

Henrik Nordström
Sparetime Squid Hacker
Received on Mon Mar 23 1998 - 14:37:56 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:39:26 MST