Re: [squid-users] squid not picking up ipfw redirected requests

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 15 Feb 2003 18:48:41 +0100

I am not very familiar with FreeBSD but I assume this setup uses NAT on
the gateway. In such configuration the return traffic MUST be routed
back the exact same way, or else NAT will screw up.. Also HTTP/1.0
clients cannot be used in such setup as the Squid server then has no
knowledge of the intended destination address..

There should be no need for any NAT or ipfw rules on the Squid server in
such setups, and the squid.conf should be slightly different from a
normal transparent proxy setup

  httpd_accel_host www.yourcompany.com
  httpd_accel_uses_host_header on
  httpd_accel_with_proxy on

"httpd_accel_host virtual" is only useful if Squid runs rirectly on the
gateway doing NAT. If there is another destination nat infront of the
Squid server it is of no use.

Regards
Henrik

Peter Brezny wrote:
>
> Greetings everyone,
>
> I'm having difficulty getting squid to pickup redirected packets.
>
> Squid works fine when I configure my browser to use the proxy.
>
> I've followed the instructions in:
> http://www.squid-cache.org/Doc/FAQ/FAQ-17.html for the ipfw freebsd install.
>
> My squid server is not the firewall/gateway system, but one on another ip
> network on the internal LAN.
>
> lan-+-ipfw:gw---internet
> |
> |
> Squid Server
>
> ipfw:gw has:
> ipfw add fwd squid.ip tcp from not sqiud.ip to any 80
> just before my divert rule for natd.
>
> squid server has
> ipfw add fwd 127.0.0.1:3128 tcp from not squid.ip to any 80
>
> squid.conf has:
> http_port 3128
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
>
> But the squid system just doesn't seem to pick up the packets that get
> forwarded to it (no entries in squid access.log or store.log). I know they
> are landing on the system and getting forwarded to the squid port (I can
> watch the ipfw rule increment with ipfw show) but I get no return packet to
> the browser on the LAN.
>
> Any ideas here?
>
> TIA
>
> Peter Brezny
> purplecat.net
Received on Sat Feb 15 2003 - 13:57:53 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:24 MST