[squid-users] squid "internal?" loop - with no firewall nat going on..?
Klavs Klavsen
kl at vsen.dk
Thu Mar 12 13:37:53 UTC 2015
Amos Jeffries wrote on 03/12/2015 02:27 PM:
> On 13/03/2015 1:52 a.m., Klavs Klavsen wrote:
>> I'd rather not have to route everything (incl. normal ingoing web
>> traffic) through the squid box.. and the firewalls are proprietary stuff
>> - so can't install squid there :)
>
> You don't, port 80 TCP is all that *needs* it, and only for the traffic
> from clients you want to go through Squid.
>
so you're saying that I should set default gateway to point to squid -
and then setup routes to the firewall for traffic I don't want to go
through squid (internal stuff.. dns, rpm mirror etc.)
meaning that all traffic (not just port 80) to public internet adresses
will go through squid. Since I have haproxy in front of the webservers -
they'll respond to haproxy directly, and traffic to websites on the
webservers won't go through squid.
> If you are passing outgoing web traffic through Squid the responses
> (incoming) have to come back through it.
>
can't I just masquerade/dnat outgoing traffic from squid server - so
firewall will route response to it?
> If you have external stuff making requests to internal servers, that can
> be left alone in the same way Squid' outgoing traffic is.
>
> Are we talking more or less than 100Mbps of port 80 traffic here?
>
far far less :)
it's just a few api calls to facebook etc.
--
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
More information about the squid-users
mailing list