Re: [squid-users] Help getting squid configured

From: Joe Cooper <joe@dont-contact.us>
Date: Fri, 23 Aug 2002 14:02:23 -0500

A layer 7 switch isn't required, necessarily. In fact, if he is using
traditional proxying, an L7 switch wouldn't work (because the request
would still be a proxy request, but sent to the origin server).

Possible Solutions:

Traditional Proxy

o Open the firewall for web connections to the problem site
o Configure clients to not use the proxy for the problem site

Transparent Proxy using iptables

o # iptables -t nat -I PREROUTING 1 -d ip.of.problem.site -j ACCEPT

Transparent Proxy using WCCP

o Create two access lists, one for the whole internet, one for problem
   sites
o Deny WCCP access for the problem sites list, allow for the internet
   list (the internet list will simply be a destination of 0.0.0.0)

Transparent Proxy using ipchains

o # ipchains -I input 1 -d ip.of.problem.site -j ACCEPT

It really isn't that complicated, nor is it expensive or time
consuming--problem sites can be counted on two hands with fingers left
over, and the number that impacts any one Squid installation is often as
low as zero.

sean.upton@uniontrib.com wrote:
> Perhaps I'm not clear what you mean be "send it on" - but if you mean have a
> totally unproxied request, you may be out of luck. I'm not sure you can
> have your cake and eat it too. It sounds like you want to do Layer 7
> switching, but not have the connection every escalate above layer 4 between
> the client and the web server. This just may not be possible.
>
> This is hard stuff, I think. It sounds like you need a layer-7 switch of
> some sort, with something like out-of-path/direct-send return.
>
> All traffic would go to the L7 switch, which would accept the TCP
> connection, wait for the REQUEST header, get it and parse it, then push the
> request essentially unaltered at some HTTP server. You could set up an two
> intercepting firewalls in the way of this, one running Squid, and the other
> running something like NAT. I think... I haven't given this serious
> meditation, and certainly haven't tried it. You may run into problems in
> that these switches typically rely upon ARP to do their voodoo, which means
> they likely won't work in an "outgoing traffic to the internet" sense.
>
> Good luck,
>
> Sean
>
> -----Original Message-----
> From: ChrisHoover@safety-kleen.com [mailto:ChrisHoover@safety-kleen.com]
> Sent: Friday, August 23, 2002 11:02 AM
> To: Joe Cooper
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Help getting squid configured
>
>
> I know this is true, but what I really need to have happen is when squid
> gets request for the TROUBLE site to just send the requests straight to
> the site. I really need to have all requests come through the squid
> server since that is the company direction. Otherwise, I will have to have
> a special exception added to the firewall since no web request can get out
> w/o going through the proxy.
>
> So, is there a way to setup a rule that says if request is going to site x
> don't "mess" with it just send it on?
>
> Thanks,
>
> Chris

-- 
Joe Cooper <joe@swelltech.com>
Web caching appliances and support.
http://www.swelltech.com
Received on Fri Aug 23 2002 - 13:05:49 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:49 MST