Re: [squid-users] How to disable squid nat from Amos Jeffries on 2012-05-27 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 27 May 2012 22:00:47 +1200

On 25/05/2012 10:31 a.m., Luis Candia wrote:
> Hi, we have a proxy to control the acces to Internet to the Lan users
> and it is working right. Now I want to install a Router capable to do
> a traffic shaping using the original ip addres of the LAN users, but
> the router just can see the external IP of the squid server, I tried
> to disable this kind of NATing that is doing the squid server but no
> success. Please I need your help.
>
> Luis Candia

Several points you need to understand before I give any solution....
1) This is how HTTP operates. It is a protocol with explicit
specification for multiple hops during both request and response
delivery. Those hops are i teh HTTP protocol layer, not the TCP or IP
packet layers. Any given TCP connection of HTTP may contain multiple
HTTP requests, each of which comes from one or more end-users.

2) Squid *is* the client of the router. Requests sent by Squid are *not*
the same requests sent by the clients contacting Squid. They have been
received and processed by Squid, some of them may be servered by Squid,
some of them may need requests to another server to fulfill. Squid will
then alter the request an pass it on. These latter are the requests from
Squid->Internet which you are trying to control, at the TCP/QoS level
any relation they have to an end-user is mere coincidence.

One you are clear on those, it should be clear that to remove the
NAT-like behaviour from HTTP requires disabling one the major
performance benefits offered by HTTP (persistent connections with
pipelining and multiplexing).

You have several options:

1) use Squid HTTP-level access and service controls. These include
several ways of QoS tagging of traffic by Squid. ie no need for the
router to know the lient internal IP, just to process the transaction
TOS properly.

2) use a router software which supports HTTP relay/proxy itself and can
identify the HTTP X-Forwarded-For headers added by Squid (enabling
forwarded_for in squid.conf if its disabled).

3) setup Squid as a TPROXY interception proxy. Which retains the
TCP-level IP address info across the Squid software processing stage.
This does exactly what you ask for but breaks the HTTP multiplexing
features annoying you, and a few others such as: authentication, DNS
offloading, and non-HTTP protocol gatewaying.

Amos
Received on Sun May 27 2012 - 10:00:57 MDT

This archive was generated by hypermail 2.2.0 : Tue May 29 2012 - 12:00:05 MDT