Re: [squid-users] squid as transparent proxy not working from Squid Support (Henrik Nordstrom) on 2002-04-19 (squid-users)

From: Squid Support (Henrik Nordstrom) <hno@dont-contact.us>
Date: Fri, 19 Apr 2002 23:45:40 +0200

Don't confuse reverse-proxying and transparent proxying. What you are
after is reverse-proxying.

On the NAT gateway, configure Squid as follows:

# Reverse proxying
http_port 80
httpd_accel_host <your.external.domain>
httpd_accel_uses_host_header on
httpd_accel_with_proxy on

# Access controls
acl to_my_server dst <ip.of.internal.server>
acl http protocol http
acl port80 port 80
http_access allow http port80 to_my_server
http_access deny all

/etc/hosts:

ip.of.internal.server your.external.domain

And use --disable-internal-dns when compiling Squid.

Note: The above setup is the medium complex setup easily extended to
support more than one server or domain. There is some simpler setups
but there is then issues with Host headers etc.

Regards
Henrik

On Friday 19 April 2002 22:21, Eric D. Hendrickson wrote:
> Hello,
>
> I am trying to make squid work as a transparent proxy via my NAT
> box at home, to my webserver on the LAN behind the NAT box. I am
> following the HOW-TO at:
>
> http://www.tldp.org/HOWTO/mini/TransparentProxy.html
>
> My NAT box is a 2.2 kernel (Mandrake 7.1, eth1 == 10.10.10.1)
> running squid-2.3.STABLE4-3mdk and my webserver is a 2.4 kernel
> (Mandrake 8.2, 10.10.10.2) running Apache. Squid is running on
> port 80 and so is Apache.
>
> Here is the output of "iptables -t nat -L" on the 2.4 box
> (trantor.crystalcave.net == 10.10.10.1):
>
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> DNAT tcp -- !trantor.crystalcave.net anywhere tcp
> dpt:http to:10.10.10.1:80
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> SNAT all -- 10.0.0.0/8
> trantor.crystalcave.netto:10.10.10.2
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> When I try to hit squid from outside my LAN, I get a "ERROR the
> requested URL could not be retrieved" and "Access Denied" in bold
> text displayed, and the squid log file shows:
>
> 1019246699.218 86 206.11.112.251 TCP_MISS/403 1067 GET
> http://www.crystalcave.net/ - DIRECT/www.crystalcave.net text/html
>
> The request never reaches the internal web server, of course.
>
> The only changes I made to squid.conf are:
>
> http_port 80
> httpd_accel_host 10.10.10.2
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
>
> I tried using "virtual" for the httpd_accel_host as the HOW-TO
> suggests, but that didn't help.
>
> Any ideas?
>
> Thanks!
> Eric Hendrickson

-- 
MARA Systems AB, Giving you basic free Squid support
Your source of advanced web reverse proxying solutions
http://www.marasystems.com/producs/

Received on Fri Apr 19 2002 - 16:03:00 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:37 MST