[squid-users] squid "internal?" loop - with no firewall nat going on..?

Klavs Klavsen kl at vsen.dk
Thu Mar 12 13:37:53 UTC 2015

Amos Jeffries wrote on 03/12/2015 02:27 PM:
> On 13/03/2015 1:52 a.m., Klavs Klavsen wrote:
>> I'd rather not have to route everything (incl. normal ingoing web
>> traffic) through the squid box.. and the firewalls are proprietary stuff
>> - so can't install squid there :)
> You don't, port 80 TCP is all that *needs* it, and only for the traffic
> from clients you want to go through Squid.
so you're saying that I should set default gateway to point to squid - 
and then setup routes to the firewall for traffic I don't want to go 
through squid (internal stuff.. dns, rpm mirror etc.)

meaning that all traffic (not just port 80) to public internet adresses 
will go through squid. Since I have haproxy in front of the webservers - 
they'll respond to haproxy directly, and traffic to websites on the 
webservers won't go through squid.

> If you are passing outgoing web traffic through Squid the responses
> (incoming) have to come back through it.
can't I just masquerade/dnat outgoing traffic from squid server - so 
firewall will route response to it?

> If you have external stuff making requests to internal servers, that can
> be left alone in the same way Squid' outgoing traffic is.
> Are we talking more or less than 100Mbps of port 80 traffic here?
far far less :)

it's just a few api calls to facebook etc.

Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
   --Henry Spencer

More information about the squid-users mailing list