So does it mean Squid works only with NAT-ted packets? Should it not accept direct connection to the port?
Or does it check iptables for forwarding entries?
Does it mean that now intercepting squid can only work on the gateway machine?
Makes little sense to me - I'm using HTTP port forwarding from DD-WRT router to the server, obviously I can't have squid on router.
On Ubuntu I have Squid v3.1.11, is it new feature in 3.2?
18 октября 2011, 06:57 от Amos Jeffries <squid3_at_treenet.co.nz>:
> On Tue, 18 Oct 2011 04:14:28 +0400, zozo zozo wrote:
> > Port 80 is redirected from another machine to this one's 13128.
> > If squid worked on transparent port, it would reply to direct HTTP
> > GET on 13128 too, it does on Ubuntu.
> > Here squid accepts the connection but then closes it immediately.
> >
>
> NAT on another box has never been supported. It was a major security
> bug which is now closed in 3.2.
>
> What you need to do instead is use "policy routing" to ship the packets
> untouched to the Squid box. And perform the REDIRECT/DNAT with iptables
> on the Squid box.
>
> P.S. Ubuntu ship slightly older releases of Squid where this NAT
> brokenness is tolerated.
>
> Amos
>
> > 18 октября 2011, 04:05 от Pieter De Wit:
> >> Hi,
> >>
> >> Maybe I am missing it, but where is the rule to REDIRECT port 80 to
> >> 13128
> >> in iptables ?
> >>
> >> Cheers,
> >>
> >> Pieter
> >>
> >> On Tue, 18 Oct 2011, zozo zozo wrote:
> >>
> >> > I'm trying to make squid work as transparent proxy on CentOS,
> >> squid ver is 3.2.0.12, with ecap enabled.
> >> > The problem is that squid doesn't work on transparent port and
> >> responds on non-transparent port.
> >> >
> >> > I've simplified configuration as possible to exclude access errors
> >> > Here's my squid.conf:
> >> >
> >> > http_port 13128 intercept
> >> > http_port 13129
> >> > acl our_networks src 1.2.3.0/24
> >> > acl localnet src 127.0.0.1/24
> >> > http_access allow all
> >> > http_access allow our_networks
> >> > http_access allow localnet
> >> >
> >> > cache_mem 0 MB
> >> > cache deny all
> >> >
> >> > #end of squid.config
>
Received on Tue Oct 18 2011 - 09:57:32 MDT
This archive was generated by hypermail 2.2.0 : Tue Oct 18 2011 - 12:00:04 MDT