[squid-users] intercepting traffic
Brendan Kearney
bpk678 at gmail.com
Thu Nov 19 02:08:10 UTC 2015
I am trying to set up a transparent, intercepting squid instance, along
side my existing explicit instance, and would like some input around
what i have buggered up so far.
i am running HAProxy in front of two squid instances, with the XFF
header added by HAProxy. My squid configs are all set to follow the XFF
for the real source and logging is setup around digesting XFF for the
source.
i took my config and added:
http_port 192.168.88.1:3129 intercept
on the router/firewall/load balancer device that is running HAProxy, i
added a NAT rule as described here:
http://www.fwbuilder.org/4.0/docs/users_guide5/redirection_rules.shtml
in my cache.log i get:
2015/11/18 20:45:13 kid1| NF getsockopt(SO_ORIGINAL_DST) failed on
local=192.168.88.1:3129 remote=192.168.88.254:37102 FD 20 flags=33: (92)
Protocol not available
2015/11/18 20:49:05 kid1| NF getsockopt(SO_ORIGINAL_DST) failed on
local=192.168.88.1:3129 remote=192.168.88.254:37381 FD 20 flags=33: (92)
Protocol not available
this tells me that i am getting to the squid instances via the load
balancer, but i am running into the "NAT must occur on the squid box"
rule, i think.
i want to intercept http traffic, and load balance the traffic to my
squid instances. this link:
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
seems to be a step in the right direction, but i am at a loss on how to
apply the logic to my environment. my proxies are on a separate vlan,
behind a load balancer, not in a DMZ. i am missing something and not
sure exactly what it is. any input on where i need to go?
thanks,
brendan
More information about the squid-users
mailing list