[squid-users] intercepting traffic

Amos Jeffries squid3 at treenet.co.nz
Fri Nov 20 04:12:02 UTC 2015

On 20/11/2015 1:09 p.m., Brendan Kearney wrote:
> when i put in just the DNAT that sends the traffic to the proxy VIP and
> load balances the requests to the squid instances on port 3128 (not the
> intercept port), i issue a curl command:
> curl -vvv --noproxy squid-cache.org http://squid-cache.org/
> and get an error page saying:
> ...
> <p>The following error was encountered while trying to retrieve the URL:
> <a href="/">/</a></p>
> is the DNAT stripping header info, such as the Host header, or am i
> still missing something?

HTTP != TCP/IP ... DNAT is only changing the IP:port details.

Whatever is receiving the packet from DNAT has to also translate the
HTTP layer messages from origin relative-URI format to intermediary
absolute-URI format.

That rule-of-thumb "MUST rule" you mentioned earlier is about those two
DNAT and HTTP translation operations being required to be done together
on the same machine. It is not limited to Squid. It could be HAProxy or
some other LB software responsible for doing it.

Squid is just the only software which actually tells you up front about
the issue, instead of leaving other software later on down the transfer
chain (possibly in somebody elses network) to break with errors like you
see above.


More information about the squid-users mailing list