Re: [squid-users] always_direct from Dr. Michael Weller on 2001-06-28 (squid-users)

From: Dr. Michael Weller <eowmob@dont-contact.us>
Date: Thu, 28 Jun 2001 14:55:16 +0200 (MESZ)

On Thu, 28 Jun 2001, Edward wrote:

> Ok.
>
> Let me see it I fully understand this param.
>
> Using always_direct will direct the customer straight to that site without
> squid proxying his connection. There by, he will be able to logged into a
> site running a firewall that is only looking for his address?

No, you didn't sorry. Once squid deals with the connection (that means
it receives the data from the client) it is too late for that.

Squid already received the data. It could pass a 1-1 copy of them on, but
then the squid machine would be the origin of the request (which won't
work for you) and it would break certain protocol specs and what else.

always_direct or never_direct control if *squid* will deal with the
final destination site (direct) or may ask other caches/upstream proxies.

Once the browser has opened a connection to squid you can't have squid
automagically undo the connection and have the browser go direct without
telling it.

There are two solutions for you:

a) You don't do or have to do transparent proxying. Then configure the
browsers not to use the proxy for certain destination addresses.

b) You insist on transparent proxying. Then you need to have a certain
   module, filter, firewall package etc. for your actual OS which is
   actually intercepting all outgoing http connections and forces them
   into the squid process. Squid can't do that itself, it is only
   able to unterstand the protocol of these connections although it
   differs from the http proxy protocol. You can also not intercept
   native FTP protocol downloads this way. The actual IP redirection
   is very OS specific and not http related and thus far beyond squids
   scope.

   This other, external, non-squid module, you need to configure
   NOT TO redirect certain source<->destination combinations of the
   http traffic.

> Or I will have to let his ip through out router since we doing transparent
> proxying?

I don't fully understand this (too little info). Probably yes. At least
you need to change the config of the redirector, whatever it is (router,
firewall, ..., os of the squid host). If you have problems with that, ask
someone knowing about the redirector (router, firewall, os of the squid
host, ...) not the *squid* users list.

Michael.

--
Michael Weller: eowmob@exp-math.uni-essen.de, eowmob@ms.exp-math.uni-essen.de,
or even mat42b@spi.power.uni-essen.de. If you encounter an eowmob account on
any machine in the net, it's very likely it's me.

Received on Thu Jun 28 2001 - 06:55:23 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:52 MST