[squid-users] intercept vs. accel vhost allow-direct

Amos Jeffries squid3 at treenet.co.nz
Thu Sep 12 09:39:52 UTC 2019


On 12/09/19 8:43 pm, sknz wrote:
> I'm running a hotspot(CoovaChilli, Freeradius, etc.) server where
> Squid-3.4.8(SSL enabled) for caching and logging. My machine is running on
> Debian 8.1.1 with 2 NIC card. One for WAN and another for LAN to manage
> hotspot AP(s).
> 
> ERROR
> The requested URL could not be retrieved
> 
> Below configuration is throwing this above error page :
> http_port 3128
> http_port 3127 intercept
> 
> Instead, I have to use this :
> http_port 3128 accel vhost allow-direct                                                                                                                                                                                                                   
> 

(Congratulations you now have CVE-2009-0801)

> Now it works! Squid is not throwing any error log for both cases. Why
> INTERCEPT is not working?

Because "The requested URL could not be retrieved".

intercept means take the origin server details from the NAT system.
Squid will act as transparently as possible, sending the traffic on to
the same server IP address the client was trying to deliver that request to.

accel means Squid is providing CDN services for the domain being
fetched. It has full authority as the origin server and any source of
data is accepted as valid response to the client.

Without any further information I guess that Squid is not able to
connect to the dst-IP the client is trying to connect to. But when DNS
is consulted in Squid's role as CDN, one of the domains other IP
addresses works.
... or maybe the client was actually not going to the server its TCP
claims and you just let malware loose.


(All those firewall settings mean nothing without details about which
IPs Squid is using and which NIC is which.)


Amos


More information about the squid-users mailing list