Dayo Adewunmi wrote:
Hi all
I've got squid 2.6.18-1ubuntu3 on an ubuntu hardy box. This box is the
firewall and squid's on there too, running as transparent proxy. I have
apt-cacher-ng on a separate box behind the firewall serving package
management on the LAN. by streaming from the internet. This works fine.
Previously, I was using apt-cacher (not -ng) on the firewall itself,
serving the LAN. This worked fine, too, until I turned squid into
transparent. Now I'm getting 403s whenever I try to run `aptitude
update` on the firewall. Does anyone have any experience with getting
apt-cacher (not -ng) to work on top of a transparent squid box?
FWIW; I advise upgrading to a newer Ubuntu release. The more recent
releases bundle with squid3 and apt packages which use persistence and
pipelining connections better. Between them they can avoid the need for
a separate apt-cacher proxy.
Now, which "transparent" is being discussed I wonder?
transparent (aka NAT interception):
Rule #1 in the firewall config of a working interception proxy is to
prevent the box IP itself being caught into the proxy by rule #2:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
This rule can be duplicated for as many exceptions as required for
bypassing machines past the proxy.
transparent (aka environment auto-configuration):
run "echo $http_proxy" and see if the proxy is specified there. This
is the main way local machine software can be silently pulled into the
proxy.
transparent (aka WPAD auto-configuration):
if this is catching it you will have to find the apt-catcher-ng
config and turn off where it is set to lookup the proxy.
transparent (aka spoofing / TPROXY):
ditto for correct firewall configuration like NAT bypassing the proxy
IP. This time marking packets IIRC.
transparent (aka invisible):
the system and apt-cacher config need to be checked that its not
configured to use the proxy. Similar but different settings to WPAD.
transparent (aka silent authentication):
if this is the case apt-catcher will nee to be configured with the
credentials to hand over. Or squid configured to permit its requests
without auth.
transparent (aka tunnelling):
should not have seen any change. though maybe if you were doing this
and now have added interception they are non-compatible on the one port.
[yes, I dislike the term "transparent". For what should now be an
obvious reason.]
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.6
Beta testers wanted for 3.2.0.1
