[squid-users] intercepting traffic

Brendan Kearney bpk678 at gmail.com
Thu Nov 19 02:08:10 UTC 2015


I am trying to set up a transparent, intercepting squid instance, along 
side my existing explicit instance, and would like some input around 
what i have buggered up so far.

i am running HAProxy in front of two squid instances, with the XFF 
header added by HAProxy.  My squid configs are all set to follow the XFF 
for the real source and logging is setup around digesting XFF for the 
source.

i took my config and added:
http_port 192.168.88.1:3129 intercept

on the router/firewall/load balancer device that is running HAProxy, i 
added a NAT rule as described here:
http://www.fwbuilder.org/4.0/docs/users_guide5/redirection_rules.shtml

in my cache.log i get:
2015/11/18 20:45:13 kid1|  NF getsockopt(SO_ORIGINAL_DST) failed on 
local=192.168.88.1:3129 remote=192.168.88.254:37102 FD 20 flags=33: (92) 
Protocol not available
2015/11/18 20:49:05 kid1|  NF getsockopt(SO_ORIGINAL_DST) failed on 
local=192.168.88.1:3129 remote=192.168.88.254:37381 FD 20 flags=33: (92) 
Protocol not available

this tells me that i am getting to the squid instances via the load 
balancer, but i am running into the "NAT must occur on the squid box" 
rule, i think.

i want to intercept http traffic, and load balance the traffic to my 
squid instances.  this link:

http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

seems to be a step in the right direction, but i am at a loss on how to 
apply the logic to my environment.  my proxies are on a separate vlan, 
behind a load balancer, not in a DMZ.  i am missing something and not 
sure exactly what it is.  any input on where i need to go?

thanks,

brendan


More information about the squid-users mailing list