Transparent Proxy

Gentlemen,

        I have two Squid servers, both running Squid-2.0.PATCH2, one on a
dedicated FreeBSD 2.2.6 machine, the other sibling on a Sparc20 (Solaris
2.6). I can't upgrade my Cisco AGS+ router to 11.1 (never could get the
loaded, new, image to be saved to NVRAM) but hey, it's been working just
fine for years now so I'm not too worried.

        I noticed that FAQ Section 17 has been updated to reveal that transparent
proxying is essentially supported now in Squid 1.2/2.0 and am intrigued
with the FreeBSD approach, however I have some reservations.

        I have installed and configured a kernel with ipfilter, and have
essentially been following the directions on this FAQ page, but have run
into a stumbling block.

        I have been reading the FAQ (Sect. 17) regarding transparent proxying and
find the following unclear: (from the FAQ)

<FAQ> 1. Getting the packets to your cache machine. If your proxy machine
is already in the path of the packets (i.e. it is routing between your
dialup users and the Internet) then you don't have to worry about this
step.</FAQ>

        My dial-up users all use 3Com and Livingston Network Access Devices, which
have the ability to specify a default gateway. Am I correct in my
assumption that I would simply need to change the default gateway to
specify my Squid server?

        If the above assumption is correct, this would mean all of my dial-up
user's packets would be flowing through my FreeBSD Box, correct?

        All I would want is to transparently proxy Web requests, no FTP (squid
doesn't handle FTP PUTs and I don't really want to transparently proxy and
install Socks5, either). Would there be anything special I might need to
setup in FreeBSD's /etc/rc.conf file as well? I noticed the FAQ doesn't
mention anything about this (nor did ipfilter's home-page) but I want to be
safe than sorry. I'm specifically concerned about the line in FreeBSD's
/etc/rc.conf 'gateway_enable'. Currently this variable is set to "NO" and
my initial assumptions are to set this to "YES", but since I can't find
mention of it in the FAQ, I'm a little apprehensive. The rc.conf variable
'router_enable' is also set to "NO", too.

        Also, how does this affect sibling caches? Currently my users are
connecting to squid.sundial.net, which has a round-robin DNS entry
specifying both of my cache servers. Will I then have to revert back to a
single cache?

<FAQ> 3.Finally, you have to configure Squid to recognize the hijacked
connections and discern the destination addresses. For linux this seems to
work automatically. For FreeBSD you probably have to configure squid with
the --enable-ipf-transparent option.</FAQ>

        No problem, I've had to do numerous recompiles the past couple of days,
what with ASYNC I/O failing to compile, and CARP causing assertion
errors... how stable is this code, however?

        Also, Section 17.1 of the FAQ mentions the ipnat.rules file which I'm also
a little unclear (ok, very unclear):

<FAQ>Put these lines in /etc/ipnat.rules:

        # Redirect direct web traffic to local web server.
        rdr de0 1.2.3.4/32 port 80 -> 127.0.0.1 port 80 tcp
        
        # Redirect everything else to squid on port 8080
        rdr de0 0.0.0.0/0 port 80 -> 127.0.0.1 port 8080 tcp
</FAQ>

        I guess I should mention that my dial-ups share several different subnets:
204.181.151.0, 207.43.116.0, 207.43.117.0, 207.43.118.0, 207.43.119.0, and
that I only want to transparently proxy WWW requests (port 80) everything
else go direct (or go through squid if their browser's are configured).

        Those lines above make little sense to me. What would be the
configuration to only proxy port 80, and redirect everything else to my
Cisco Router?

        Finally, has anyone succeeded in actually getting this to work on a
similar setup as mine? I'd appreciate hearing any suggestions, traps,
horror stories which you went through - and possibly maybe seeing a copy of
your /etc/rc.conf, your ipnat rules, etc. for diff'ing? I could always
just switch to LiNUX I guess, but gosh-darnit, I *like* FreeBSD too much to
want to switch. ;-)

        Many thanks in advance.

                George Ellenburg
Received on Fri Oct 16 1998 - 08:08:30 MDT