[squid-users] Squid Intercept - From inside LAN with DNAT on router and docker on host

Guilherme Scaglia cadastros.scaglia at gmail.com
Thu Jul 21 11:55:17 UTC 2016


Amos,

> There is a different config example for REDIRECT <
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>

Ty, I'm going to try it using REDIRECT. I was unwilling to follow the DNAT
guide because of having to enable ip-forwarding in a non-router machine.
The REDIRECT version seems cleaner and is similar to what I'

2016-07-21 3:07 GMT-03:00 Amos Jeffries <squid3 at treenet.co.nz>:

> On 21/07/2016 8:50 a.m., Antony Stone wrote:
> > On Wednesday 20 July 2016 at 22:44:46, Bruno de Paula Larini wrote:
> >
> >> Em 20/07/2016 17:10, Antony Stone escreveu:
> >>>
> >>> You *must* perform the DNAT on the machine running Squid, which means
> that
> >>> the packets from your clients must pass through the Squid server,
> either
> >>> because it is in the default route, or because you use some form of
> policy
> >>> routing (not NAT) to direct port 80 requests through it.
> >>
> >> If that's the case I think it would be better if the document instructed
> >> to use REDIRECT --to-port instead DNAT as an implicit way to explain
> that.
>
> Primarily because the document you are looking at Bruno is the one for
> DNAT. There is a different config example for REDIRECT
>  <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>
>
> >
> > What is unclear about:
> >
> > *NOTE:* This configuration is given for use *on the squid box*. This is
> > required to perform intercept accurately and securely.  To intercept
> from a
> > gateway machine and direct traffic at a separate squid box use policy
> routing.
> >
> >       ?
> >
> >
> > Antony.
> >
>
> As to why we even have a DNAT page. That is because at high traffic
> loads DNAT is measurably faster for iptables to perform than REDIRECT.
> On machinery where the IPs are static and performance is needed, DNAT
> *on the same machine* is the best way to go.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160721/ab848820/attachment.html>


More information about the squid-users mailing list