[squid-users] Squid Intercept - From inside LAN with DNAT on router and docker on host
Guilherme Scaglia
cadastros.scaglia at gmail.com
Thu Jul 21 12:00:50 UTC 2016
Amos,
> There is a different config example for REDIRECT <
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>
Ty, I'm going to try it using REDIRECT. I was unwilling to follow the DNAT
guide because of having to enable ip-forwarding in a non-router machine.
The REDIRECT version seems cleaner and is similar to what I've being doing
using the embedded proxy on the Mikrotik router.
Antony,
> That won't work. You *must* perform the DNAT on the machine running Squid
Just for curiosity's sake, why there is such restriction? I thought squid
didn't entered the picture until after DNAT was done, and that by then it
wouldn't know where it happened. Does it somehow queries the system to know
the original request destination? Wouldn't simply relying on the HOST
header of the request suffice?
Ty.
2016-07-21 3:07 GMT-03:00 Amos Jeffries <squid3 at treenet.co.nz>:
> On 21/07/2016 8:50 a.m., Antony Stone wrote:
> > On Wednesday 20 July 2016 at 22:44:46, Bruno de Paula Larini wrote:
> >
> >> Em 20/07/2016 17:10, Antony Stone escreveu:
> >>>
> >>> You *must* perform the DNAT on the machine running Squid, which means
> that
> >>> the packets from your clients must pass through the Squid server,
> either
> >>> because it is in the default route, or because you use some form of
> policy
> >>> routing (not NAT) to direct port 80 requests through it.
> >>
> >> If that's the case I think it would be better if the document instructed
> >> to use REDIRECT --to-port instead DNAT as an implicit way to explain
> that.
>
> Primarily because the document you are looking at Bruno is the one for
> DNAT. There is a different config example for REDIRECT
> <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>
>
> >
> > What is unclear about:
> >
> > *NOTE:* This configuration is given for use *on the squid box*. This is
> > required to perform intercept accurately and securely. To intercept
> from a
> > gateway machine and direct traffic at a separate squid box use policy
> routing.
> >
> > ?
> >
> >
> > Antony.
> >
>
> As to why we even have a DNAT page. That is because at high traffic
> loads DNAT is measurably faster for iptables to perform than REDIRECT.
> On machinery where the IPs are static and performance is needed, DNAT
> *on the same machine* is the best way to go.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160721/97ebc878/attachment.html>
More information about the squid-users
mailing list