[squid-users] intercepting traffic
bpk678 at gmail.com
Fri Nov 20 00:09:24 UTC 2015
On 11/18/2015 10:42 PM, Amos Jeffries wrote:
> On 19/11/2015 3:08 p.m., Brendan Kearney wrote:
>> I am trying to set up a transparent, intercepting squid instance, along
>> side my existing explicit instance, and would like some input around
>> what i have buggered up so far.
>> i am running HAProxy in front of two squid instances, with the XFF
>> header added by HAProxy. My squid configs are all set to follow the XFF
>> for the real source and logging is setup around digesting XFF for the
>> i took my config and added:
>> http_port 192.168.88.1:3129 intercept
> This tells Squid you are intercepting the traffic between HAProxy and Squid.
> You describe HAProxy as explicitly sending traffic to the Squid, so
> there is no need for interception into Squid.
>> this tells me that i am getting to the squid instances via the load
>> balancer, but i am running into the "NAT must occur on the squid box"
>> rule, i think.
> Yes. That rule and the intercept option that cause it does not apply
> when the software sending traffic to Squid is explicitly configured.
> Such as you describe HAProxy being.
> squid-users mailing list
> squid-users at lists.squid-cache.org
when i put in just the DNAT that sends the traffic to the proxy VIP and
load balances the requests to the squid instances on port 3128 (not the
intercept port), i issue a curl command:
curl -vvv --noproxy squid-cache.org http://squid-cache.org/
and get an error page saying:
<p>The following error was encountered while trying to retrieve the URL:
<p>Some aspect of the requested URL is incorrect.</p>
<p>Some possible problems are:</p>
<li><p>Missing or incorrect access protocol (should be <q>http://</q> or
<li><p>Illegal double-escape in the URL-Path</p></li>
<li><p>Illegal character in hostname; underscores are not allowed.</p></li>
is the DNAT stripping header info, such as the Host header, or am i
still missing something?
More information about the squid-users