[squid-users] intercepting traffic

Brendan Kearney bpk678 at gmail.com
Fri Nov 20 00:09:24 UTC 2015

On 11/18/2015 10:42 PM, Amos Jeffries wrote:
> On 19/11/2015 3:08 p.m., Brendan Kearney wrote:
>> I am trying to set up a transparent, intercepting squid instance, along
>> side my existing explicit instance, and would like some input around
>> what i have buggered up so far.
>> i am running HAProxy in front of two squid instances, with the XFF
>> header added by HAProxy.  My squid configs are all set to follow the XFF
>> for the real source and logging is setup around digesting XFF for the
>> source.
>> i took my config and added:
>> http_port intercept
> This tells Squid you are intercepting the traffic between HAProxy and Squid.
> You describe HAProxy as explicitly sending traffic to the Squid, so
> there is no need for interception into Squid.
>> this tells me that i am getting to the squid instances via the load
>> balancer, but i am running into the "NAT must occur on the squid box"
>> rule, i think.
> Yes. That rule and the intercept option that cause it does not apply
> when the software sending traffic to Squid is explicitly configured.
> Such as you describe HAProxy being.
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
when i put in just the DNAT that sends the traffic to the proxy VIP and 
load balances the requests to the squid instances on port 3128 (not the 
intercept port), i issue a curl command:

curl -vvv --noproxy squid-cache.org http://squid-cache.org/

and get an error page saying:

<p>The following error was encountered while trying to retrieve the URL: 
<a href="/">/</a></p>

<blockquote id="error">
<p><b>Invalid URL</b></p>

<p>Some aspect of the requested URL is incorrect.</p>

<p>Some possible problems are:</p>
<li><p>Missing or incorrect access protocol (should be <q>http://</q> or 
<li><p>Missing hostname</p></li>
<li><p>Illegal double-escape in the URL-Path</p></li>
<li><p>Illegal character in hostname; underscores are not allowed.</p></li>

is the DNAT stripping header info, such as the Host header, or am i 
still missing something?



More information about the squid-users mailing list