[squid-users] TCP-MISS 503 for wrong destination ip
Antony.Stone at squid.open.source.it
Tue Nov 24 12:41:34 UTC 2015
On Tuesday 24 November 2015 at 13:34:51, Ahmad Alzaeem wrote:
> Well , what I have done is :
> I configured squid http_port xx and http_port xxy intercept
> And uses iptables to redirect http & https to squid ports
1. Have you fixed DNS so that clients are now resolving the correct addresses
for destination servers?
2. Are you performing NAT *only* on the machine where Squid is running?
> But it don’t work and I have logs :
> 1448121527.423 10.1.1.1 TCP_MISS/503 4183 GET http://cnn.com/ -
> ORIGINAL_DST/10.159.144.206 text/html 1448121554.217 10.1.1.1
> TCP_MISS/503 4771 GET http://cnn.com/ - ORIGINAL_DST/10.159.144.206
> text/html 1448121555.574 10.1.1.1 TCP_MISS/503 4685 GET
> http://cnn.com/favicon.ico - ORIGINAL_DST/10.159.144.206 text/html
> As u see the ds tip is wrong and its spoofed with 10.159.144.206
Do you know where that IP address comes from? Is your DNS still broken, is
this the IP address of the Squid server, does it mean anythign at all in your
> So how to let squid bypass checking it ?
It's not a matter of bypassing Squid checking it - it's a matter of making it
correct so that the checks do not fail.
> Is my way above wrong ?
I think so, but please answer the questions above so we can be more sure.
> U say we need proxy mode ??
> How should I implement proxy mode since user will not put ip:port in his
Use DHCP options and/or WPAD.
> Thanks a lot for helping
Please do not reply to (or CC) me - please just reply to the list.
"Black holes are where God divided by zero."
- Steven Wright
Please reply to the list;
please *don't* CC me.
More information about the squid-users