Re: Transparent proxy, ip-filter, solaris from Henrik Nordstrom on 1998-03-23 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 23 Mar 1998 23:18:38 +0100

Sherif Diaa El-Din - Email wrote:

> I installed ip-filter package on solaris 2.4 and added the rule in ipnat
> rdr le0 0.0.0.0/0 80 -> <localhost> port 3128 tcp
...

> http_port 3128
> icp_port 3130
> httpd_accel virtual 3128
> httpd_accel_with_proxy on

add "httpd_accel_uses_host_header on" here... If a Host: header is
available in the request then it should be used (that's why you applied
the patch in the first place).

> now requests try to contact the httpd server on port 80 on
> localhost, but since there isn't one installed , squid returns
> error message connection refused to the ip of the same solaris
> machine , seems it does not understand that a remote host is
> the one requested

The standard "virtual-support" code in Squid requires that getsockname()
returns the intended destination address. If this is not true for your
"reverse-NAT" package then you have to hack the squid sources somewhat
to get the correct destination IP. I know others have done this for
IP-Filter, but I have not seen any Squid patches.. Anyone using
httpd_accel virtual and ipfilter and willing to share the
implementation?

Until virtual support is available for your NAT package:

* Only 1.0++ browsers (sending Host: header which is a 1.1 feature) can
be supported, since if there is no Host: header, and Squid can't get the
correct destination address from the connection then it is very hard for
Squid to know where to go..

* You need a special page for the users with old browsers, telling them
than they need to upgrade to a new browser (and how to do that). Put
this page (and browser upgrade files) in a special directory on one of
your web servers (http://www.here.com/broserupgrades/... in the
example).

* Recommended squid.conf if httpd_accel virtual can't be supported on
your platform:

httpd_accel oldbrowser 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

A small redirector that redirects oldbrowser to the special page,
allowing them to also download the browser upgrades:
#!/usr/local/bin/perl
$|=1;
$upgradeserver="www.here.com";
$upgradenotice="http://www.here.com/browserupgrades/upgrade.html";

while(<>) {
  if ( m%^http://oldbrowser:80/% ) {
    if ( m%http://oldbrowser:80/broserupgrades/r% ) {
      # Browser upgrades are available from
      # http://www.here.com/browserupgrades/...
      s%oldbrowser%$upgradeserver%;
      next;
    } else {
      # On all other unknown files, return the upgrade page
      s/^[^ ]*/$upgradenotice/;
    }
  }
} continue {
  print;
}

---
Henrik Nordström
Sparetime Squid Hacker

Received on Mon Mar 23 1998 - 14:37:56 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:39:26 MST