[squid-users] http_port intercept: squid 3.1.20 VS 3.5.23.
Antony Stone
Antony.Stone at squid.open.source.it
Wed Oct 4 11:41:41 UTC 2017
On Wednesday 04 October 2017 at 13:30:52, Thomas Martin wrote:
> Hello,
>
> I'm having trouble to make Squid 3.5.23 work like Squid 3.1.20 does.
>
> Here is my setup:
> <clients> | <router> |
> <squid proxy>
> 10.0.0.Y/24 | 10.0.0.254/24 <-> 10.100.0.254/24 | 10.100.0.100/24
> - <router> is:
> -- obviously forwarding packets,
> -- owning the ADSL,
> -- doing the transparent redirection of <clients> to <squid proxy> using
> NAT: -A PREROUTING -s 10.100.0.100 -i dmz -p tcp -m state --state NEW -m
> tcp --dport 80 -j ACCEPT
> -A PREROUTING -s 10.0.0.Y/32 -p tcp -m state --state NEW -m tcp
> --dport 80 -j DNAT --to-destination 10.100.0.100:3128
That's your problem.
You're no longer allowed to do the DNAT (or REDIRECT) on anything other than
the machine running Squid itself.
See https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect and
note the emphasis "This configuration is given for use on the squid box."
See https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
for how to get the packets correctly from the router to the separate Squid
server.
In summary, you need to do policy routing (or any other method at your
disposal) to get the packets from the clients to be sent to the Squid server
*without* changing their destination address (so, DNAT isn't allowed), and
then on the Squid server you use REDIRECT to send them to the Squid listening
socket.
Regards,
Antony.
--
https://tools.ietf.org/html/rfc6890 - providing 16 million IPv4 addresses for
talking to yourself.
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list