[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] transparent proxy help
From:       Henrik Nordstrom <hno () squid-cache ! org>
Date:       2005-05-31 12:02:43
Message-ID: Pine.LNX.4.61.0505311353470.3393 () localhost ! localdomain
[Download RAW message or body]



On Mon, 30 May 2005, Abu Khaled wrote:

> I remember that a friend of mine had such a problem but with ipf on FreeBSD.
> You can try this but I am not sure if it works.
> *** On Gateway
> 1. Pass traffic from Squidserver IP to port 80 to avoid loop
> 2. Redirecting http traffic from Client IPs to Squidserver but not
> changing destination port ( I left it at 80 ).

You also should not change the destination IP. The packets should simply 
be routed to the Squid server with no NAT at all applied.

If the traffic is NAT:ed to the Squid server then the destination IP is 
lost and intercepted HTTP/1.0 requests without thet Host header won't 
work.

But on the bright side you don't need (and should not use) any of the 
transparent proxy configure options to Squid or any local firewall rules 
redirecting traffic to Squid. Just configure Squid with

   http_port 80

   httpd_accel_host your.main.website
   httpd_accel_uses_host_header on
   httpd_accel_port 80

this will send HTTP/1.0 requests without host headers to your main web 
site (or any other single site you appoint), the rest where they 
requested.

For interception of HTTP/1.0 requests without host header to work the 
following conditions must be met:

   1. The Squid server must see the original packets with all address info 
intact.

   2. Suitable redirection rules need to exist in the local firewall 
(IP-Filter/ipf/iptables) redirecting port 80 traffic to the Squid port.

   3. Squid must be build with support for the interception method you use 
on the Squid server to redirect the packets to Squid.


If you are not interested in supporting old HTTP/1.0 clients then a simple 
NAT with the config above is sufficient. But be aware that there still is 
automated HTTP agens such as anti-virus updates etc using old HTTP/1.0 
without host header.

Note: All known browsers uses the Host header as this is required to 
access domain based virtual hosts on the Internet.

Regards
Henrik
[prev in list] [next in list] [prev in thread] [next in thread]