[squid-users] Unsuccessful at using Squid v4 with intercept
Rafael Akchurin
rafael.akchurin at diladele.com
Fri Nov 1 06:35:22 UTC 2019
Hello Sebastian,
If you decide to go policy routing way as Amos suggested - please see the tutorial at https://docs.diladele.com/tutorials/policy_based_routing_squid/index.html
Or https://docs.diladele.com/tutorials/web_filter_https_squid_cisco_wccp/index.html for WCCP.
Best regards,
Rafael Akchurin
Diladele B.V.
-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
Sent: Friday, 1 November 2019 07:02
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Unsuccessful at using Squid v4 with intercept
On 1/11/19 5:53 am, FOUTREL Sébastien wrote:
> ----------------------------------------------------------------------
> --
> *De :* Antony Stone
> *Envoyé :* mercredi 30 octobre 2019 17:39
>
> On Wednesday 30 October 2019 at 17:11:29, FOUTREL Sébastien wrote:
>
>> Hello, I would like to use squid as a transparent proxy for my users.
>
>> "Clients" are behind a Debian "Router" which MASQUERADE them (as they
>> use RFC 1918 ips).
>>
>> I have a Squid 4.6 from Debian Buster packages installed on a "Proxy"
>> server which is outside my network.
>>
>> I read a lot of tutorials and examples from squid site...
>
> Did that include the links I've given below?
>
> Yes I read almost all examples config from wiki.squid-cache.org
> <https://wiki.squid-cache.org/SquidFaq/InterceptionProxy>
> <https://wiki.squid-cache.org/SquidFaq/InterceptionProxy>And I was
> mislead by the fact that there is a DNAT config and a REDIRECT config..
> DNAT is completely useless if Squid only support to be on the router.
> Wasn't it possible to dnat to a different server with older versions
> (my memory is faulty) ?
> http://tldp.org/HOWTO/TransparentProxy-6.html for example.
Squid-2 used to ignore all NAT errors and just go where the client HTTP headers were claiming to be going. This proved to be a major security vulnerability with a pile of nasty related issues and side effects.
CVE-2009-0801 for reference.
DNAT is a tiny amount faster and less CPU cycles on the kernel NAT side of interception, and can be used in config tricks to get more than 64K entries in the NAT tables. So it is kept around for extremely high-traffic proxies.
REDIRECT is better for zero-conf installations or ones with a dynamic IP address on the proxy machine (eg IPv6 auto-conf and privacy addressing).
>
> I read the "fw mark and route policy" method as an alternative not the
> only way to go. My mistake.
>
Easily made if you are reading *every* example config. Policy Routing _is_ an alternative ... to WCCP.
There are so many different types of routers with different config requirements, and also numerous NAT systems. Our formal Intercept examples are laid out as separate router config example and NAT config example. Pick one from each category as appropriate to the software your network uses for each machine.
Cheers
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list