> > 1) why intercept mode fails (do I need any special rule on my remote
SQUID
> > box?) with access denied for all requests
>
> Where is the NAT/TPROXY interception happening for (1)?
>
> It is required to be done directly on the Squid machine, with packets
> sent to that machine by *routing* or *tunnelling* (VPN) in such as way
> as the TCP packet IP:port details st by the client are completely
> untouched by the network before they hit the Squid machine.
> Typically in the past your type of setup has used NAT at the client end
> (it was "easy"), which actually erases the destination IP details and
> replaces them with the Squid machine IP:port. The problems this caused
> were hidden for a long time but recent security checks are preventing
> the Host header being used to determine the outbound connection when
> they occur. For now Squid preserves the behaviour the client would have
> seen by going to the TCP destination IP:port ...
"redirection" is done from VPN server to SQUID server. I don't have special
routing on SQUID's server the reason is that from VPN server I can query
external web site if I use non-intercept port (I have one that has
"intercept" and one without). So I assume routing is working fine. The
command I used is
curl -x http://<SQUID IP>:PORT www.cnn.com
Let me know if I need to add additional iptables rule for this to work. If I
enter the proxy info wrong curl just waits there (probably till timeout). If
address/port are correct but SQUID was not running I will get connection
refused. So it tells me routing from VPN to SQUID for port 80 seems to work
but "intercept" is the reason I get access denied (I can't figure out why
yet even with full log). Where in the full log can I know why I get access
denied?
>
> > 2) in non-intercept mode why VPN client would have the missing hostname
in the
> > request.
> >
>
> (2) is not clear what you mean. What do you see that is indicating a
> missing hostname ?
When I say hostname is missing. It means I get (see my first post)
NONE/400 3544 GET / instead of TCP_MISS/403 3544 GET www.cnn.com/
I also use "cache deny all" (and http_access allow all, I assume that allows
access to everything, see my first post for full config I have except these
two) to use no cache not sure if that affect the out come? I also had an
adapter which is disabled right now but even enabled produce the same result
so it shouldn't matter (just thought to mention that.
Thanks
Received on Thu Oct 24 2013 - 02:45:30 MDT
This archive was generated by hypermail 2.2.0 : Thu Oct 24 2013 - 12:00:07 MDT