[squid-users] squid "internal?" loop - with no firewall nat going on..?

Klavs Klavsen kl at vsen.dk
Thu Mar 12 12:52:32 UTC 2015

I'd rather not have to route everything (incl. normal ingoing web 
traffic) through the squid box.. and the firewalls are proprietary stuff 
- so can't install squid there :)

It works fine in accel mode.. and I can limit what urls each client ip 
is able to access, and disable caching..

Shouldn't accel mode, for this use case (curl access from websites - all 
using http/1.1 with host header) be good enough - or are there security 
issues I am not aware of?

I realize I move the DNS lookup to the squid box - but that's actually 
what I want in this case.

Amos Jeffries wrote on 03/12/2015 01:05 PM:
> On 13/03/2015 12:27 a.m., Klavs Klavsen wrote:
>> Klavs Klavsen wrote on 03/12/2015 12:15 PM:
>>> the routing example didn't seem to work :(
>> As I understand it.. I can't use DNAT on client machine to get packages
>> to squid box.. and since it's locally generated packages(ie. I want to
>> capture on the clients - instead of capturing on their default gateway),
>> the packages only traverse POSTROUTING and OUTPUT..
>> any hints appreciated :)
> You can either, set the clients default gateway to be the Squid machine
> which just forwards non-HTTP packets on to the actual gateway router
> which is set as Squid machines default gateway.
> Or, add policy routing into the gateway router diverting just the port
> 80 traffic from the real clients (but excluding the Squid machine) to
> the Squid machine as its upstream router.
> In both those cases both the normal gateway and the Squid machine are
> configured as routers with the Squid machine using the real gateway as
> its default gateway.
> Or, you can run Squid on the main gateway router - provided it has
> enough memory for what you want it doing.
> You can also physically plug the Squid machine into the network path as
> a router before the main gateway router. This is same as the first
> option but hard-wired as well as configured.
> Capture wont work on client devices because Squid cant make system calls
> directly into their remote machines kernel / NAT driver. You end up with
> wrong IPs know to Squid and those loops.
> So, pick one of the two above options and lets see why the routing is
> "not working".
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
   --Henry Spencer

More information about the squid-users mailing list