> Hello,
>
> I have problem with my squid setup. For quite long time I've been using
> Squid 2.6 STABLE-17. I decidet to switch to squid 3.0 but there is
> problem.
>
> My configuration is:
>
> large network -> nat router (linux) -> router (hardware ATM) -> internet
> \ /
> squid
>
> Most of traffic is nat'ed on nat router, and forwarded to border
> hardware atm router. HTTP traffic (port 80) is DNAT'ed to machine with
> squid. And that setup worked fine for now. But after switching to 3.0 I
> have following error message:
>
> ERROR
> The requested URL could not be retrieved
>
> While trying to retrieve the URL: /
>
> The following error was encountered:
>
> * Invalid URL
>
> Here are few directives from my configuration file.
>
> http_port 80 transparent
> icp_port 0
> htcp_port 0
> tcp_outgoing_address X.X.X.X
> dns_nameservers X.X.X.X
>
>
> I have been working on it for a quite long time. I have been googling
> but i have found information about one server setups. Even in squid faq
> there is only that configuration.
>
> Please help ;)
What you have is in no way transparent. As long as DNAT was used never has
been.
Transparent interception is done with REDIRECT (netfilter) or TPROXY-2
when squid sits on the NAT box with the full NAT tables available to it.
Using DNAT to another box isolates squid from the information it needs to
work transparently, but it can still be faked with an semi-open proxy
config.
You need the following for starters:
# cope with standard web requests ...
http_port 80 vhost
# SECURE the access!!!!
acl localnet src 10.0.0.0/8
http_access deny !localnet
** alter the ACL to contain the IP ranges you are intercepting.
NP: broken non-HTTP-compliant client software will still get that error
page, but compliant software like most browsers will get through okay.
Amos
Received on Sun Mar 09 2008 - 19:49:40 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT