Re: l4 switch -> squid question

From: Clifton Royston <cliftonr@dont-contact.us>
Date: Fri, 25 Jun 1999 15:58:34 -1000 (HST)

Brian writes:
> If I have a l4 switch (foundry serveriron) directing web requests to my
> squid box (port 80), do I still have to run squid on another port like
> 3128 and use rules like:
>
> /sbin/ipchains -A input -j ACCEPT -i lo
> /sbin/ipchains -A input -j ACCEPT -p tcp -d 208.206.76.44 80
> /sbin/ipchains -A input -j REDIRECT 3128 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 80
>
> or can I just forget the rules, run squid on port 80 and all is well?

  The FAQ section on Transparent Caching explains this, but does it
fairly tersely. <http://squid.nlanr.net/Squid/FAQ/FAQ-17.html#ss17>

There's three important issues:

 * Getting the packets destined for other web hosts to the server - the
   Serveriron does that, normally by rewriting the Ethernet MAC address
   to the address of your cache server and sending it out the port your
   server's plugged in via;

 * Getting your server to accept packets for any IP address whatsoever
   on port 80, since those packets weren't supposed to be destined to
   your server. I'm not yet familiar with ipchains, but it looks like
   your last line above does that, but redirects it to port 3128. You
   could instead simply rewrite it to accept packets from any IP
   address on port 80.

 * Getting squid to accept the packets on port 80 - one way you can do
   that is by setting the recommended options in the FAQ:
            http_port 3128
            httpd_accel_host virtual
            httpd_accel_port 80
            httpd_accel_with_proxy on

I think this combo would do the trick for your Linux set up; let me
know if it works. I'm currently trying to finish setting up a nearly
identical configuration under BSD with the ipfilters package.
  -- Clifton 

-- 
 Clifton Royston  --  LavaNet Systems Architect --  cliftonr@lava.net
        "An absolute monarch would be absolutely wise and good.  
           But no man is strong enough to have no interest.  
             Therefore the best king would be Pure Chance.  
              It is Pure Chance that rules the Universe; 
          therefore, and only therefore, life is good." - AC
Received on Fri Jun 25 1999 - 19:38:52 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:47:00 MST