Extremely Transparent Proxy

From: Diegmueller, Jason (I.T. Dept) <diegmuej@dont-contact.us>
Date: Wed, 31 May 2000 14:39:43 -0500

Squid Users--

I have searched the archives, and can't seem to find anyone else who has
looked at doing thing.

I'm reasonably familiar with squid, and extremely familiar with Linux.
The other day, I spent a few minutes setting up a Transparent Proxy. It
worked great in testing, I'm now looking at things from a network design

Our company is looking in to putting a squid machine in front of a HEAVILY
loaded web server ("Intranet Server"). The web server connects directly
to a Cisco Catalyst 5505 switch with both NICs utilizing HP's EtherChannel
implementation ("EtherTeaming"). This effectively doubles bandwidth and
provides hardware fault tolerance in a way on both the Catalyst (should a
port go) and on the server (should a NIC go).

My original plan (before I started really looking to squid as a transparent
proxy) was to utilize Linux's bonding driver to achieve 200Mb to the Linux
box, and 200Mb to the HP Server (thus, 4 NICs). Unfortunately, I'm limited
to only one instance of the bonding.o driver. So I'll just do 200Mb to the
switch, and 100Mb to the server. Not too big of a deal. If someone knows a
workaround, let me know.

The question comes in here:
If I'm using a two-interface solution, obviously I'm going to have to route
between the "outside" and the "inside" interface. If I do this, I'm
messing with addressing scheme of things here. I'd have to create a whole
new IP network for this Intranet server, and somehow advetise it to the rest
of my network (we use EIGRP, so I'd probably have to use zebra and
redistribute RIPv2 in to EIGRP) .. it would be ugly.

Another option I thought was that I could renumber the Intranet box, do
ipmasq, and simply forward every single port to the Intranet machine. But
again, that's reasonably "ugly".

So is there any "clean" way to implement an almost INVISIBLE proxy server?
Perhaps do bridging between the "outisde" and "inside" iterfaces, but still
have the ability to hijack requests to TCP port 80 and deliver them to
Has anyone done anything like this before? If so, do share. If not, think
I'm on the right path? Does this sound feasible?

I'd just like to implement a squid proxy WITHOUT having to redesign a lot
of things (and in the process piss of the systems team). I considered doing
a route-map on the Cat5505's RSM but when I was playing around with that
yesterday load went through the roof (this is an awfully busy Catalyst).

Insight, thoughts, and expertise is appreciated. Thanks!
Received on Wed May 31 2000 - 13:43:05 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:53:39 MST