RE: [squid-users] Interception Caching/Proxying (aka transparent proxy)

From: Joe Kattner <>
Date: Wed, 28 Nov 2001 12:06:33 -0500

This is mostly from the archive, so most can pass it by :)

The only problem with this configuration after all this was that you need to
have two interfaces on the squid box. The ipnat also caught the squid
traffic (outbound) and redirected it back to itself causing an endless
loop... We didn't want another interface and have to put routing onto the
server, so we didn't complete the project.

But it shows a pretty complete and working setup including the route map
(minus the other interface). We succesfully were able intercept all outbound
web traffic and force it to squid.

Hope that helps,


Thanks Henrik,

The test you gave started working, in that it was generating squid error
pages on the telnet session, from a host on the same segment, but it still
was not intercepting (no hits in the squid log) for any other hosts.

The problem was on the Cisco 6509. We were using rpf on the vlan interface.
So, for anyone else having these problems, You need to have 'ip verify
unicast reverse-path' off for it to work properly.

Thanks again for the help!


-----Original Message-----
From: Henrik Nordstrom []
Sent: Saturday, November 03, 2001 5:16 AM
To: Joe Kattner
Cc: ''
Subject: Re: [squid-users] Problems with interception cache on Solaris

I can't see any obvious errors.

I would suggest you start by verifying the netfilter operation.
Configure a host on the same lan segment as the proxy with a host route
for via the proxy server, then
telnet 80

If the above gives you a Squid error page then the interception is
working just fine.

Hmm.. thinking. Maybe you need to enable IP-forwarding for ipfilter to
work properly.

Henrik Nordström
Squid Hacker

Joe Kattner wrote:
> Hello All,
> Need some help setting up an interception cache. Everything is set up as
> below, the requests are getting from the network to ipfilter on the squid
> server, but they're not making it to squid, or squid isn't doing anything
> with them.
> There is no problem with communication from the squid server outbound, and
> have reverted back to using a regular cache, which is working fine.
> Thanks, any help is greatly appreciated!
> --Joe
> bash-2.03# uname -a
> SunOS cdptproxy 5.7 Generic_106541-14 sun4u sparc SUNW,Ultra-2
> bash-2.03# /usr/local/squid/bin/squid -v
> Squid Cache: Version 2.4.STABLE2
> Built with: ./configure --prefix=/usr/local/squid --enable-ipf-transparent
> --enable-storeio=diskd,ufs
> Configured ipfilter 3.4.21 on the server:
> # Redirect direct web traffic to local web server.
> rdr hme0 port 80 -> port 80 tcp
> # Redirect everything else to squid on port 8080
> rdr hme0 port 80 -> port 3128 tcp
> bash-2.03# /sbin/ipnat -f /etc/ipnat.rules
> bash-2.03# ls -al /devices/pseudo/ipf@0:ipnat
> crw-r--r-- 1 root squid 65, 1 Nov 1 22:19
> /devices/pseudo/ipf@0:ipnat
> bash-2.03# /sbin/ipnat -l
> List of active MAP/Redirect filters:
> rdr hme0 port 80 -> port 80 tcp
> rdr hme0 port 80 -> port 3128 tcp
> List of active sessions:
> Using a policy map on the router to point to the proxy server:
> Cisco Internetwork Operating System Software
> IOS (tm) MSFC Software (C6MSFC-JSV-M), Version 12.1(5a)E, EARLY DEPLOYMENT
> route-map proxy-redirect permit 20
> match ip address redirects
> set ip next-hop
> ip access-list extended redirects
> deny tcp host any eq www
> permit tcp any any eq www
> Configured squid per the faq:
> http_port 3128
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
Received on Wed Nov 28 2001 - 10:05:54 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:04:35 MST