hey there Hans,
are you serving squid on the same machine as the gateway is?(wasnt sure
about the DNAT).
your problem is not directly related to squid but to the way that tcp
and browsers works.
for every connection that the client browser uses exist a tcp windows
that stays alive for a period of time after the page was served.
this will cause to all the connections that was served using port 3128
to still exist for i think 5 till 10 more minutes or whatever is your
tcp stack settings.
if you want to understand it you can install iptstate and it will give
you a top like view of iptables list of connections and their states.
also you can use the conntrack tools (with -F option) to flush\view the
connections.
if you will flush the connections using "conntrack -F" you will see that
the connection is served on the 3129 port.
Regards,
Eliezer
On 28/05/2012 22:34, Hans Musil wrote:
> Hi,
>
> my box is running on Debian Sqeeze, which uses SQUID version 2.7.STABLE9, but my problem also seems to affect SQUID version 3.1.
>
> These are the importend lines from my squid.conf:
>
> http_port 3128 transparent
> http_port 3129 transparent
> url_rewrite_program /etc/squid/url_rewrite.php
>
>
> First, I did configure my Linux iptables like this:
>
> # Generated by iptables-save v1.4.8 on Mon May 28 21:04:09 2012
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.17.0.1:3128
> COMMIT
>
> and everything works fine.
>
> But when I change the redirect port in the iptables settings from 3128 to 3129, Squid behaves strange: My URL rewrite program still gets send myport=3128, althought there is definitely no more request on this port, but only on 3129. This only affects HTTP domains that already have been requested before, i.e. with redirection to port 3128, and it works fine again when I do a force-reload on my browser. Also, things turn well when waiting some minutes.
>
> I suppose there is some strange caching inside Squid that maps the HTTP domain to an incoming port.
>
> Could anybody help with some workaround?
>
> Thanks in advance.
>
> Hans
-- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer <at> ngtech.co.ilReceived on Mon May 28 2012 - 20:13:30 MDT
This archive was generated by hypermail 2.2.0 : Tue May 29 2012 - 12:00:05 MDT