[squid-users] intercepting traffic

brendan kearney bpk678 at gmail.com
Thu Nov 19 15:10:58 UTC 2015


So does that mean I can run the DNAT on the firewall/router/load balancer
device and remove the intercept line from my configs, and expect things to
work?
On Nov 18, 2015 10:43 PM, "Amos Jeffries" <squid3 at treenet.co.nz> wrote:

> On 19/11/2015 3:08 p.m., Brendan Kearney wrote:
> > I am trying to set up a transparent, intercepting squid instance, along
> > side my existing explicit instance, and would like some input around
> > what i have buggered up so far.
> >
> > i am running HAProxy in front of two squid instances, with the XFF
> > header added by HAProxy.  My squid configs are all set to follow the XFF
> > for the real source and logging is setup around digesting XFF for the
> > source.
> >
> > i took my config and added:
> > http_port 192.168.88.1:3129 intercept
>
> This tells Squid you are intercepting the traffic between HAProxy and
> Squid.
>
> You describe HAProxy as explicitly sending traffic to the Squid, so
> there is no need for interception into Squid.
>
> >
> > this tells me that i am getting to the squid instances via the load
> > balancer, but i am running into the "NAT must occur on the squid box"
> > rule, i think.
>
> Yes. That rule and the intercept option that cause it does not apply
> when the software sending traffic to Squid is explicitly configured.
> Such as you describe HAProxy being.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151119/89d70543/attachment.html>


More information about the squid-users mailing list