[squid-users] intercept mode gives access denied

[Robert Plamondon]

>
>
> You *must* perform the NAT on the machine Squid is running on for intercept
> mode to work.
>
> Doing it on any other router along the way will not work.
>

Unless I'm missing something, I'd phrase this differently: the NAT must not
be performed between the client and Squid. Squid is indifferent if NAT
occurs between itself and the server. So it's a matter of placing the two
functions in the right order along the network path.

(Example: my VDSL modem performs NAT, and the intercepting Squid instance
on my Linux LAN gateway box neither knows nor cares.)

If your router is some kind of Unix-like box, putting Squid on it may be
the most convenient path. If the router is underpowered, the local squid
can (often) be set up to avoid heavy lifting, with only a small RAM cache,
and forward everything to its smarter parent. (I haven't tried this on
anything in the low horsepower + high traffic realm, though.)

For a "real" router like a Cisco box, you can configure it to route
appropriate traffic to the Squid box before performing NAT, using WCCP or
policy-based routing, and let the router perform the NAT itself on the
output of the Squid box.

Good luck!

Robert

-- 
Robert Plamondon
robert at plamondon.com

Some of my web sites:
http://nortoncreekfarm.com. Our free-range chicken/egg farm.
http://nortoncreekpress.com. My little publishing house, mostly farming
books.
http://hypnosis-corvallis.com. My hypnotherapy site.
http://unlicensed-practitioner.com. Resources for Oregon's
alternative/exempt practitioners.
http://plamondon.com. My main site, with lots of poultry info.
http://karls-diabetes.blogspot.com
<http://karls-diabetes.blogspot.com/2011/11/keeping-carbs-down-and-ultimate-pbj.html>.
Adventures with an autistic/diabetic child.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160114/5e425f7d/attachment.html>