[squid-users] intercepting traffic

Brendan Kearney bpk678 at gmail.com
Fri Nov 20 00:09:24 UTC 2015 

On 11/18/2015 10:42 PM, Amos Jeffries wrote:
> On 19/11/2015 3:08 p.m., Brendan Kearney wrote:
>> I am trying to set up a transparent, intercepting squid instance, along
>> side my existing explicit instance, and would like some input around
>> what i have buggered up so far.
>>
>> i am running HAProxy in front of two squid instances, with the XFF
>> header added by HAProxy.  My squid configs are all set to follow the XFF
>> for the real source and logging is setup around digesting XFF for the
>> source.
>>
>> i took my config and added:
>> http_port 192.168.88.1:3129 intercept
> This tells Squid you are intercepting the traffic between HAProxy and Squid.
>
> You describe HAProxy as explicitly sending traffic to the Squid, so
> there is no need for interception into Squid.
>
>> this tells me that i am getting to the squid instances via the load
>> balancer, but i am running into the "NAT must occur on the squid box"
>> rule, i think.
> Yes. That rule and the intercept option that cause it does not apply
> when the software sending traffic to Squid is explicitly configured.
> Such as you describe HAProxy being.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
when i put in just the DNAT that sends the traffic to the proxy VIP and 
load balances the requests to the squid instances on port 3128 (not the 
intercept port), i issue a curl command:

curl -vvv --noproxy squid-cache.org http://squid-cache.org/

and get an error page saying:

...
<p>The following error was encountered while trying to retrieve the URL: 
<a href="/">/</a></p>

<blockquote id="error">
<p><b>Invalid URL</b></p>
</blockquote>

<p>Some aspect of the requested URL is incorrect.</p>

<p>Some possible problems are:</p>
<ul>
<li><p>Missing or incorrect access protocol (should be <q>http://</q> or 
similar)</p></li>
<li><p>Missing hostname</p></li>
<li><p>Illegal double-escape in the URL-Path</p></li>
<li><p>Illegal character in hostname; underscores are not allowed.</p></li>
</ul>

is the DNAT stripping header info, such as the Host header, or am i 
still missing something?

thanks,

brendan

More information about the squid-users mailing list