[squid-users] squid "internal?" loop - with no firewall nat going on..?
Klavs Klavsen
kl at vsen.dk
Tue Mar 10 13:19:17 UTC 2015
Amos Jeffries wrote on 03/10/2015 01:50 PM:
> On 11/03/2015 1:29 a.m., Klavs Klavsen wrote:
>> Hi,
>>
>> I just setup a squid trying to get it to work in intercept mode..
>>
>> I seem to hit some squid internal loop where it goes haywire internally
>> somehow?
>
> You have explicitly configured Squid instructing it that traffic
> arriving on port 3129 has been intercepted.
>
> You then sent Squid a port-80 syntax message with TCP packet destination
> IP:port of 127.0.0.1:3129.
>
port 80 syntax?
> It is for this reason that all our interception tutorials state in bold
> that its a very good idea to firewall the 3129 port such that no
> software, even localhost may send traffic directly into it.
>
ahh.. I was hoping to have a loadbalancer in front of squid (haproxy) -
to have failover, if squid server should fail..
I'm trying to read and understand:
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Concepts_of_Interception_Caching
when nat'ing - doesn't squid just get the rewritten package (which would
have port 3129 in the tcp dest. port field?)
ie. how can it discern a package send directly to port 3129 - with data
containing f.ex.:
GET / HTTP/1.1
Host: www.bt.dk
with one just sent directly to that port?
I seem to be failing to understand wherein the difference lies :(
I can see that one can choose to use GRE encapsulation - but that is
stated to be optional..
--
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
More information about the squid-users
mailing list