Search squid archive

Re: [squid-users] transparent proxy help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Mon, 30 May 2005, Abu Khaled wrote:

I remember that a friend of mine had such a problem but with ipf on FreeBSD.
You can try this but I am not sure if it works.
*** On Gateway
1. Pass traffic from Squidserver IP to port 80 to avoid loop
2. Redirecting http traffic from Client IPs to Squidserver but not
changing destination port ( I left it at 80 ).

You also should not change the destination IP. The packets should simply be routed to the Squid server with no NAT at all applied.

If the traffic is NAT:ed to the Squid server then the destination IP is lost and intercepted HTTP/1.0 requests without thet Host header won't work.

But on the bright side you don't need (and should not use) any of the transparent proxy configure options to Squid or any local firewall rules redirecting traffic to Squid. Just configure Squid with

  http_port 80

  httpd_accel_host your.main.website
  httpd_accel_uses_host_header on
  httpd_accel_port 80

this will send HTTP/1.0 requests without host headers to your main web site (or any other single site you appoint), the rest where they requested.

For interception of HTTP/1.0 requests without host header to work the following conditions must be met:

1. The Squid server must see the original packets with all address info intact.

2. Suitable redirection rules need to exist in the local firewall (IP-Filter/ipf/iptables) redirecting port 80 traffic to the Squid port.

3. Squid must be build with support for the interception method you use on the Squid server to redirect the packets to Squid.


If you are not interested in supporting old HTTP/1.0 clients then a simple NAT with the config above is sufficient. But be aware that there still is automated HTTP agens such as anti-virus updates etc using old HTTP/1.0 without host header.

Note: All known browsers uses the Host header as this is required to access domain based virtual hosts on the Internet.

Regards
Henrik

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux