<div dir="ltr">Amos,<div><br></div><div>> <span style="font-size:12.8px">There is a different config example for REDIRECT </span><span style="font-size:12.8px"><</span><a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect" rel="noreferrer" target="_blank" style="font-size:12.8px">http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect</a><span style="font-size:12.8px">></span></div><div><br></div><div>Ty, I'm going to try it using REDIRECT. I was unwilling to follow the DNAT guide because of having to enable ip-forwarding in a non-router machine. The REDIRECT version seems cleaner and is similar to what I'</div><div class="gmail_extra"><br><div class="gmail_quote">2016-07-21 3:07 GMT-03:00 Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 21/07/2016 8:50 a.m., Antony Stone wrote:<br>
> On Wednesday 20 July 2016 at 22:44:46, Bruno de Paula Larini wrote:<br>
><br>
>> Em 20/07/2016 17:10, Antony Stone escreveu:<br>
>>><br>
>>> You *must* perform the DNAT on the machine running Squid, which means that<br>
>>> the packets from your clients must pass through the Squid server, either<br>
>>> because it is in the default route, or because you use some form of policy<br>
>>> routing (not NAT) to direct port 80 requests through it.<br>
>><br>
>> If that's the case I think it would be better if the document instructed<br>
>> to use REDIRECT --to-port instead DNAT as an implicit way to explain that.<br>
<br>
</span>Primarily because the document you are looking at Bruno is the one for<br>
DNAT. There is a different config example for REDIRECT<br>
<<a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect</a>><br>
<span class=""><br>
><br>
> What is unclear about:<br>
><br>
> *NOTE:* This configuration is given for use *on the squid box*. This is<br>
> required to perform intercept accurately and securely. To intercept from a<br>
> gateway machine and direct traffic at a separate squid box use policy routing.<br>
><br>
> ?<br>
><br>
><br>
> Antony.<br>
><br>
<br>
</span>As to why we even have a DNAT page. That is because at high traffic<br>
loads DNAT is measurably faster for iptables to perform than REDIRECT.<br>
On machinery where the IPs are static and performance is needed, DNAT<br>
*on the same machine* is the best way to go.<br>
<span class="HOEnZb"><font color="#888888"><br>
Amos<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</div></div></blockquote></div><br></div></div>