<div dir="ltr"><span style="font-size:12.8px">Amos,</span><span class="im" style="font-size:12.8px"><div><br></div><div>> <span style="font-size:12.8px">There is a different config example for REDIRECT </span><span style="font-size:12.8px"><</span><a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect" rel="noreferrer" target="_blank" style="font-size:12.8px">http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect</a><span style="font-size:12.8px">></span></div><div><br></div></span><div style="font-size:12.8px">Ty, I'm going to try it using REDIRECT. I was unwilling to follow the DNAT guide because of having to enable ip-forwarding in a non-router machine. The REDIRECT version seems cleaner and is similar to what I've being doing using the embedded proxy on the Mikrotik router.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Antony,</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">> <span style="font-size:12.8px">That won't work. You *must* perform the DNAT on the machine running Squid</span></div><div style="font-size:12.8px"><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Just for curiosity's sake, why there is such restriction? I thought squid didn't entered the picture until after DNAT was done, and that by then it wouldn't know where it happened. Does it somehow queries the system to know the original request destination? Wouldn't simply relying on the HOST header of the request suffice?</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Ty.</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-07-21 3:07 GMT-03:00 Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 21/07/2016 8:50 a.m., Antony Stone wrote:<br>
> On Wednesday 20 July 2016 at 22:44:46, Bruno de Paula Larini wrote:<br>
><br>
>> Em 20/07/2016 17:10, Antony Stone escreveu:<br>
>>><br>
>>> You *must* perform the DNAT on the machine running Squid, which means that<br>
>>> the packets from your clients must pass through the Squid server, either<br>
>>> because it is in the default route, or because you use some form of policy<br>
>>> routing (not NAT) to direct port 80 requests through it.<br>
>><br>
>> If that's the case I think it would be better if the document instructed<br>
>> to use REDIRECT --to-port instead DNAT as an implicit way to explain that.<br>
<br>
</span>Primarily because the document you are looking at Bruno is the one for<br>
DNAT. There is a different config example for REDIRECT<br>
<<a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect</a>><br>
<span class=""><br>
><br>
> What is unclear about:<br>
><br>
> *NOTE:* This configuration is given for use *on the squid box*. This is<br>
> required to perform intercept accurately and securely. To intercept from a<br>
> gateway machine and direct traffic at a separate squid box use policy routing.<br>
><br>
> ?<br>
><br>
><br>
> Antony.<br>
><br>
<br>
</span>As to why we even have a DNAT page. That is because at high traffic<br>
loads DNAT is measurably faster for iptables to perform than REDIRECT.<br>
On machinery where the IPs are static and performance is needed, DNAT<br>
*on the same machine* is the best way to go.<br>
<span class="HOEnZb"><font color="#888888"><br>
Amos<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</div></div></blockquote></div><br></div>