Re: [squid-users] transparent proxy help

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 31 May 2005 14:02:43 +0200 (CEST)

On Mon, 30 May 2005, Abu Khaled wrote:

> I remember that a friend of mine had such a problem but with ipf on FreeBSD.
> You can try this but I am not sure if it works.
> *** On Gateway
> 1. Pass traffic from Squidserver IP to port 80 to avoid loop
> 2. Redirecting http traffic from Client IPs to Squidserver but not
> changing destination port ( I left it at 80 ).

You also should not change the destination IP. The packets should simply
be routed to the Squid server with no NAT at all applied.

If the traffic is NAT:ed to the Squid server then the destination IP is
lost and intercepted HTTP/1.0 requests without thet Host header won't
work.

But on the bright side you don't need (and should not use) any of the
transparent proxy configure options to Squid or any local firewall rules
redirecting traffic to Squid. Just configure Squid with

   http_port 80

   httpd_accel_host your.main.website
   httpd_accel_uses_host_header on
   httpd_accel_port 80

this will send HTTP/1.0 requests without host headers to your main web
site (or any other single site you appoint), the rest where they
requested.

For interception of HTTP/1.0 requests without host header to work the
following conditions must be met:

   1. The Squid server must see the original packets with all address info
intact.

   2. Suitable redirection rules need to exist in the local firewall
(IP-Filter/ipf/iptables) redirecting port 80 traffic to the Squid port.

   3. Squid must be build with support for the interception method you use
on the Squid server to redirect the packets to Squid.

If you are not interested in supporting old HTTP/1.0 clients then a simple
NAT with the config above is sufficient. But be aware that there still is
automated HTTP agens such as anti-virus updates etc using old HTTP/1.0
without host header.

Note: All known browsers uses the Host header as this is required to
access domain based virtual hosts on the Internet.

Regards
Henrik
Received on Tue May 31 2005 - 06:02:46 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Jun 01 2005 - 12:00:04 MDT