[squid-users] http_port intercept: squid 3.1.20 VS 3.5.23.

Thomas Martin tmartincpp at gmail.com
Wed Oct 4 11:50:08 UTC 2017


2017-10-04 13:41 GMT+02:00 Antony Stone <Antony.Stone at squid.open.source.it>:
>> - <router> is:
>> -- obviously forwarding packets,
>> -- owning the ADSL,
>> -- doing the transparent redirection of <clients> to <squid proxy> using
>> NAT: -A PREROUTING -s 10.100.0.100 -i dmz -p tcp -m state --state NEW -m
>> tcp --dport 80 -j ACCEPT
>> -A PREROUTING -s 10.0.0.Y/32 -p tcp -m state --state NEW -m tcp
>> --dport 80 -j DNAT --to-destination 10.100.0.100:3128
>
> That's your problem.
>
> You're no longer allowed to do the DNAT (or REDIRECT) on anything other than
> the machine running Squid itself.
>
> See https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect and
> note the emphasis "This configuration is given for use on the squid box."
>
> See https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
> for how to get the packets correctly from the router to the separate Squid
> server.
>
> In summary, you need to do policy routing (or any other method at your
> disposal) to get the packets from the clients to be sent to the Squid server
> *without* changing their destination address (so, DNAT isn't allowed), and
> then on the Squid server you use REDIRECT to send them to the Squid listening
> socket.
>
>
> Regards,
>
> Antony.
>

I see.
So between 3.1 and 3.5 Squid behavior changed and my DNAT is causing the loops.

I will take a closer look to theses URLs.

Thanks a lot for your help and very quick answer !

Regards,
Thomas.


More information about the squid-users mailing list