[squid-users] Zyxel USG20 and Squid 3.3

Amos Jeffries squid3 at treenet.co.nz
Fri May 22 12:11:47 UTC 2015 

NP: Its too late now, but please in future start new threads for new
topics. It seriously screws up reading for those of us with threaded
mailers or forum-style mirrors of the mailing list like Nabble.


On 22/05/2015 11:18 p.m., wn48z wrote:
> Since long time I'm trying to upgrade from Squid 2.7 to 3.x but every
> try has failed up to now.
> 
> I use a ZyXel USG 20 firewall with LAN and DMZ Zone. The Squid proxy
> server (MySquid) is running inside the DMZ with a single IP. The Zyxel
> USG 20 has a option for a "HTTP Redirect". This is defined like:
> 
> Forward all HTTP Request from LAN to WAN to MySquid Port 3128.

Sounds like a nasty recipe for trouble forwarding all your LAN traffic
via somewhere on the Internet to your internal proxy. I hope that is
just terrible documentation on the part of the firewall authors.


The answer to your problem sits in how this firewall feature actually
works...

* If thats a fancy name for NAT or NAPT / port-forwarding then its not
usable to get traffic to Squid.

* If its a mini proxy relaying the traffic then Squid should be setup
with a regular forward-proxy port to receive it.

* If its something else, it may or may not be workable.

Squid requires firewalls and routers on other machines to be doing
Layer-2 (routing) or Layer-3 (tunneling) packet forwarding without the
IP address destroying operations that NAT does.


> On MySquid, a Squid 2.7 stable version is running with this setting:
> 
> http_port 3128 transparent
> 
> It works fine - any HTTP requests from LAN goes through the MySquid Proxy.
> 

Well it *seems* to work. But only because Squid-2.7 was lying to you in
its logs.

Old Squid like 2.7 would take the most outrageous lies and forgery in
the TCP/IP packets and believe them. But log the HTTP level details and
tell you it was going to the place the client wanted even if the client
would actually have gone to some other server entirely had Squid not
been there in the path.

3.2 and later contain a bit more security to ensure the traffic actually
goes to the server the client was connecting to (ORIGINAL_DST or a
properly DNS listed equivalent with the same domain name).


Your firewall though is telling your Squid that the web server the
client was visiting is hosted at SquidIP:3128. NAT lies!

> But that is no option - I can't and will not define manual proxy settings for any client in the LAN :-(

No need to fear manual configuration. At the very least WPAD
auto-configuration is your friend.


You also have the easier option of placing the Squid machine physically
in the network path before or after the ZyXel. Configuring the Squid box
as a bridge + router with NAT sending port 80 traffic through Squid
directly on the same box as required to make interception work.

Amos

More information about the squid-users mailing list