Re: [squid-users] Newbie Help - Is this Possible?

From: Amos Jeffries <>
Date: Mon, 21 Oct 2013 23:49:27 +1300

On 20/10/2013 7:07 a.m., Aaron Wright wrote:
>> But if you place it so that the traffic flows through the proxy between the router it still has to be aware of routing, it has to know who it's clients and servers are.
> Hmm. At that point, squid would only have one client, right? The router. And the servers would be whoever the router was sending the packet to in the first place.

  ... "in HTTP there are no packets. Just messages."

As some have mentioned it does not matter where Squid is located in the
network. Your router needs to *route* the clients port 80 packets to the
Squid box as if the Squid box were an upstream router. The packets need
to still retain the original client IP:port and original destination
server IP:port details up until the point they reach Squid.

The intercept is then properly setup on the Squid box itself so Squid
has access to those original IP details on the packets. Squid MAY (or
may not) route the packets back through the router on their way to the
real destination.
IMPORTANT: if the packets go through the router after Squid it needs to
identify the packets from Squid and prevent looping back to Squid again.

> That's the part I don't yet understand, but it seems as if everyone agrees that the squid box needs to be setup to access the internet. I was hoping to pull off something more transparent, but I might have been dreaming.

The Squid box does more in HTTP than just relaying packets. Some of
those things, like finding faster connection paths than the client knows
about and ensuring the destination site is not being spoofed require
Internet connections independent of the client packet details.

FWIW: Squid is designed to optimize HTTP, which means taking advantage
of HTTP multiplexing and persistent connections whenever it can. The
server outgoing connections from Squid are fully independent of the
incoming client ones and any given destination server may have multiple
client requests to several of its IPs collated and sent to just one of
its IPs.

To cut a long comparison short; do not confuse proxies with tunnels. The
properties are VERY different.

>> I'd say the easy way to do this is to put it inside your private network and point the PCs to use it as proxy or configure your router to use it.
> If I was using DD-WRT on my router, what settings should I be looking at to redirect internet traffic to squid. And I assume I don't want to redirect internet traffic from squid. I can't think of how to do that off the top of my head.

This router configuration example was written for OpenWRT and DD-WRT

As you can see it contains two router iptables configuration snippets.
One for when Squid is between router and Internet, one for when Squid is
behind the router / amongst the clients.

NP: the one for when Squid is amongst the clients depends on Squid IP so
only works as-is when NAT intercept is done (easiest). For anything more
than semi-transparent you have to play around with routing by TOS values.

The Squid box has a separate configuration to the router. eg one of these:

Received on Mon Oct 21 2013 - 10:49:37 MDT

This archive was generated by hypermail 2.2.0 : Mon Oct 21 2013 - 12:00:06 MDT