[squid-users] Squid Intercept - From inside LAN with DNAT on router and docker on host
Amos Jeffries
squid3 at treenet.co.nz
Thu Jul 21 06:07:25 UTC 2016
On 21/07/2016 8:50 a.m., Antony Stone wrote:
> On Wednesday 20 July 2016 at 22:44:46, Bruno de Paula Larini wrote:
>
>> Em 20/07/2016 17:10, Antony Stone escreveu:
>>>
>>> You *must* perform the DNAT on the machine running Squid, which means that
>>> the packets from your clients must pass through the Squid server, either
>>> because it is in the default route, or because you use some form of policy
>>> routing (not NAT) to direct port 80 requests through it.
>>
>> If that's the case I think it would be better if the document instructed
>> to use REDIRECT --to-port instead DNAT as an implicit way to explain that.
Primarily because the document you are looking at Bruno is the one for
DNAT. There is a different config example for REDIRECT
<http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>
>
> What is unclear about:
>
> *NOTE:* This configuration is given for use *on the squid box*. This is
> required to perform intercept accurately and securely. To intercept from a
> gateway machine and direct traffic at a separate squid box use policy routing.
>
> ?
>
>
> Antony.
>
As to why we even have a DNAT page. That is because at high traffic
loads DNAT is measurably faster for iptables to perform than REDIRECT.
On machinery where the IPs are static and performance is needed, DNAT
*on the same machine* is the best way to go.
Amos
More information about the squid-users
mailing list