Search squid archive

Re: Transparent squid and apt-cacher on the same box

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dayo Adewunmi wrote:
Hi all

I've got squid 2.6.18-1ubuntu3 on an ubuntu hardy box. This box is the firewall and squid's on there too, running as transparent proxy. I have apt-cacher-ng on a separate box behind the firewall serving package management on the LAN. by streaming from the internet. This works fine.

Previously, I was using apt-cacher (not -ng) on the firewall itself, serving the LAN. This worked fine, too, until I turned squid into transparent. Now I'm getting 403s whenever I try to run `aptitude update` on the firewall. Does anyone have any experience with getting apt-cacher (not -ng) to work on top of a transparent squid box?

FWIW; I advise upgrading to a newer Ubuntu release. The more recent releases bundle with squid3 and apt packages which use persistence and pipelining connections better. Between them they can avoid the need for a separate apt-cacher proxy.


Now, which "transparent" is being discussed I wonder?

transparent (aka NAT interception):
Rule #1 in the firewall config of a working interception proxy is to prevent the box IP itself being caught into the proxy by rule #2:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
This rule can be duplicated for as many exceptions as required for bypassing machines past the proxy.

transparent (aka environment auto-configuration):
run "echo $http_proxy" and see if the proxy is specified there. This is the main way local machine software can be silently pulled into the proxy.

transparent (aka WPAD auto-configuration):
if this is catching it you will have to find the apt-catcher-ng config and turn off where it is set to lookup the proxy.

transparent (aka spoofing / TPROXY):
ditto for correct firewall configuration like NAT bypassing the proxy IP. This time marking packets IIRC.

transparent (aka invisible):
the system and apt-cacher config need to be checked that its not configured to use the proxy. Similar but different settings to WPAD.

transparent (aka silent authentication):
if this is the case apt-catcher will nee to be configured with the credentials to hand over. Or squid configured to permit its requests without auth.

transparent (aka tunnelling):
should not have seen any change. though maybe if you were doing this and now have added interception they are non-compatible on the one port.


[yes, I dislike the term "transparent". For what should now be an obvious reason.]

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.6
  Beta testers wanted for 3.2.0.1


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux