David Cundiff wrote:
>
> I've got squid listening on port 80 which from what I've read eliminates
> the need for ipchains/filter and forwarding is enabled. Or do I still need
> the ipchains rule, the faq wasn't very clear on that part.
>
> Dave Cundiff
> World Wide Net
Squid will only listen to port 80 on the server it runs on. To have the
proxy hijack TCP sessions with other destination addresses than the
server itself you must use ipchains or equivalent tools to redirect the
packets to the port of the local application.
The only exception is some L4 switch setups where the switch nats the
destination address of the request to the address of the proxy, and
relies on the proxy to pick up the Host header from the request or use a
out-of-band protocol to ask the switch for the real destination IP.
Note that I generally do not recommend hijacking of TCP sessions if you
can avoid it. It is often better to simply block port 80 and have the
users configure their browser to use the proxy (via a redundant load
balancer for large setups). Please note that the hijacking techniques
can be used to automatically provide the user with instructions on how
to configure their browser, just as it can be used to redirect the
traffic to a proxy..
-- Henrik Nordstrom Squid hacker -- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Fri Oct 27 2000 - 01:06:22 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:59 MST