[squid-users] squid "internal?" loop - with no firewall nat going on..?
Klavs Klavsen
kl at vsen.dk
Tue Mar 10 15:08:51 UTC 2015
hmm..
I've read the config examples..
I would very much like to understand how/why it works, if I've setup a
client to route package to squid (instead of trying to send directly)..
I'm trying to follow this on a test client (haven't gotten it working yet):
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
(where squid is amongst the internal clients - actually on it's own vlan
- but it's not the default route)
meanwhile I tried pointing to the haproxy - which then forwards requests
in tcp mode, to squid server port 3129.
If I just send to haproxy directly, I get the loop and this in the
accesslog:
1425998994.271 0 10.43.18.165 TCP_MISS_ABORTED/000 0 GET
http://www.bt.dk/ - ORIGINAL_DST/10.43.18.165 -
when doing:
curl -H "Host: www.bt.dk" http://proxy-haproxy-ip/
10.43.18.165 is the ip of squid server behind haproxy.
Antony Stone wrote on 03/10/2015 03:18 PM:
> On Tuesday 10 March 2015 at 15:09:14 (EU time), Klavs Klavsen wrote:
>
>> so intercept mode is only used, if you actually do the nat'ing on the
>> same server as squid is running..
>
> You can do the NATting somewhere else; the important point is that the traffic
> must be NATted, not direct.
>
>> ie. I should use accel mode instead in my use case?
>
> NO. Accelerator mode is entirely different (from both intercept mode and
> normal Squid usage). Accelerator mode is for placing squid in front of a
> specific web server (or a bunch of them, but not the entire Internet). It is
> not for enabling clients to connect to the Internet in general.
>
>
> Regards,
>
>
> Antony.
>
--
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
More information about the squid-users
mailing list