[squid-users] External nat'ed transparent proxy

Amos Jeffries squid3 at treenet.co.nz
Fri Sep 30 17:35:42 UTC 2016


On 1/10/2016 12:27 a.m., Henry Paulissen wrote:
> Hi Matus,
> 
> 
> On 30-09-16 12:36, Matus UHLAR - fantomas wrote:
>> On 29.09.16 16:39, Henry Paulissen wrote:
>>> In the company I work for we are currently using squid v2 proxies in
>>> transparent mode to intercept traffic from servers to the outside
>>> (access control).
>>>
>>> The technical solution for this is roughly as follows:
>>> [server] -> [gateway] -> [firewall]
>>>                              |
>>>    ----------- DNAT ---------
>>>   v
>>> [squid]  -> [gateway] -> [firewall] -> [internet router]
>>
>> this is a bad configuration. The firewall in the path should NOT use DNAT,
>> since it makes the important part of connection (destination IP) invisible
>> to squid.
>>
> 
> That is where the HTTP Host header can be used for... For squid to
> figure out the destination of the request. (arenĀ“t they?)

That is what it was intended for 20 or so years ago. But times change
and nowdays we have to deal with browsers that can be sent a scimple
script and instructed to do all sorts of nasty things in the traffic. If
you want the gory details you can find my prvious answers to people
asking this same question repeatedly over the last 5 years.

The TL;DR is: no, that is no longer safe to do and Squid will not do it
any more. Simply dont use DNAT on the port 80 (or 443) packets before
they hit the machine running Squid. Routing is a more powerful feature
than most realize, make use of it.

Amos



More information about the squid-users mailing list