Cdrack wrote:
Tnx for the reply, I will test it. I just have one more question.
My setup is like this. On my proxy server, i have eth0 connected to the
internet and eth1 connected to the Lan.
My question is, if the request for the website comes from my local Lan and
the iptables rule is intented to not allow squid to intercept that
particular website request, how is the web request handlled? How the request
comming from eth1 will make its way to eth0 ---> website ---> and reply back
to eth0 and send that back to the user in the eth1 network.?
As i said i have not tested this yet, but i would like to understand a
little about how this works.
Normally requests go through your routing logic as packets and straight
connections between client and web server. Your control boxes are
concerned only for packet routing.
When you added NAT interception it diverted all their requests to Squid.
So the client is then unknowingly speaking to Squid which must fake
being a web server for it and do a lot of processing to generate a
second connection from Squid to the real server or load stuff from cache
and send the result back to the client in the faked connection through
NAT again in reverse.
These rules are exemptions from the intercept, returning certain
sources/destinations to normal Internet behavior. The requests are
simply following their natural path from client->server and back again.
Amos
Tnx for the help.
Amos Jeffries-2 wrote:
Cdrack wrote:
Hi Amos,
Could you please explain what should by placed instead of ¨squid¨?
-A squid is a local custom chain name in my iptables.
It's created by:
iptables -t nat -N squid
iptables -t nat -A PREROUTING --protocol tcp --dport 80 -j squid
I ran this
iptables -t nat -A squid -j DNAT --to-destination 10.0.0.1:81
But i get this message:
iptables: No chain/target/match by that name
Seems to me that the ¨-A squid¨ part is what is not working for me.
I have the exact same problem as the guy that opened this thread.
If I understand you correctly you want requests sent to a particular
site
not even to enter Squid yes?
This is correct for me, i want to allow the browser to retrieve the
website
without passing thru squid.
Tnx for your prompt reply.
Amos Jeffries-2 wrote:
Hi Folks,
I need a specific site to completely bypass my squid cache due to a
broken
external webapp.
I have read the section "how do I configure Squid not to cache a
specific
server?" from the wiki, which I can implement with no issues, but what
I
am not sure is what this will actually do :)
Will this allow traffic to pass through squid without caching it, or
will
this block the site for users?
The bit that says to configure "cache deny" ?
Simply prevents storage of the request/reply objects as they go through
Squid.
If I understand you correctly you want requests sent to a particular
site
not even to enter Squid yes? once they enter squid there is no
bypassing,
so it must be done at the firewall.
For such sites I use a custom chain a bit like this to decide of the
request is intercepted or not (all the lines ending in ACCEPT, are not
intercepted):
iptables -t nat -A squid -s 10.0.0.1 -j ACCEPT
...
iptables -t nat -A squid -j DNAT --to-destination 10.0.0.1:81
You want something like:
iptables -t nat -A squid -d ip-of-website-to-permit -j ACCEPT
in your list of bypasses.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
Current Beta Squid 3.1.0.7
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
Current Beta Squid 3.1.0.7
