[squid-users] External nat'ed transparent proxy

Henry Paulissen henry at nitronetworks.nl
Thu Sep 29 14:39:53 UTC 2016


Hi all,

In the company I work for we are currently using squid v2 proxies in
transparent mode to intercept traffic from servers to the outside
(access control).

The technical solution for this is roughly as follows:
[server] -> [gateway] -> [firewall]
                              |
    ----------- DNAT ---------
   v
[squid]  -> [gateway] -> [firewall] -> [internet router]

Our firewalls (who live between the vlan gateway and internet router),
DNAT the traffic towards separate squid proxies (who are in a lvs
cluster). These squid proxies are in their own vlan with special
permissions to allow unrestricted port 80 outbound, etc, etc...

Because squid v2 is becoming more and more obsolete we are looking at
upgrading it towards squid v3.

From what I read in the manuals, transparent mode is replaced by
intercept (and tproxy) mode. But both dont seem to be fully backward
complaint with the v2 transparent mode.

The old trasparent mode allowed us to just dnat traffic towards the
squid host without the need for the client to be aware of this. For
example, the old style accepted 'GET / HTTP/1.1' (without full URL in
the GET request and looking at the Host header for the destination).

The new intercept mode comes close to this behavior, but instead of
remotly dnat, it wants us to next-hop it towards the squid proxy and
redirect it locally. This is problematic for us as firewall and squid
proxy dont live in the same vlan, so next-hop should be the router to
that vlan (and forgetting about the path back to the server). Secondly,
and not less blocking, we use vservers (predecessor to linux containers
lxc) as such, we dont have any promiscuous interfaces rights within the
container.


Is there still a option to emulate normal 'regularĀ“ style squid (as
without any listen options) but instead accepting the URI path in the
GET request and looking at the Host header for the destination? (lets
call it passthrough mode?).

Or, is there in squid3 a new and better way to facilitate larger setups,
with the knowledge the server, firewall and squids are all in different
vlans (and no, we dont have Cisco firewalls in between them ;-)).


Thanks in advance,

-- 
Henry Paulissen - PD0OM
henry at nitronetworks.nl - Phone: +31-(0)6-115.305.64
Linux/Unix System Engineer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160929/5bc9c277/attachment.sig>


More information about the squid-users mailing list