[squid-users] intercept mode gives access denied
Antony Stone
Antony.Stone at squid.open.source.it
Thu Jan 14 19:12:58 UTC 2016
On Thursday 14 January 2016 at 18:25:16, Robert Plamondon wrote:
> > You *must* perform the NAT on the machine Squid is running on for
> > intercept mode to work.
> >
> > Doing it on any other router along the way will not work.
>
> Unless I'm missing something, I'd phrase this differently: the NAT must not
> be performed between the client and Squid. Squid is indifferent if NAT
> occurs between itself and the server. So it's a matter of placing the two
> functions in the right order along the network path.
Yes.
I was referring to the specific Destination NAT operation which changes the
destination address of the HTTP requests from their original (the web server),
to be the IP address of the Squid machine.
I think it's safe to say that any Source NAT operation is safe at any point
along the route.
Antony.
> (Example: my VDSL modem performs NAT, and the intercepting Squid instance
> on my Linux LAN gateway box neither knows nor cares.)
>
> If your router is some kind of Unix-like box, putting Squid on it may be
> the most convenient path. If the router is underpowered, the local squid
> can (often) be set up to avoid heavy lifting, with only a small RAM cache,
> and forward everything to its smarter parent. (I haven't tried this on
> anything in the low horsepower + high traffic realm, though.)
>
> For a "real" router like a Cisco box, you can configure it to route
> appropriate traffic to the Squid box before performing NAT, using WCCP or
> policy-based routing, and let the router perform the NAT itself on the
> output of the Squid box.
>
> Good luck!
>
> Robert
--
A user interface is like a joke.
If you have to explain it, it didn't work.
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list