Search squid archive

Re: best practice for transparent

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/12/10 02:37, BASDarchive wrote:

On Dec 7, 2010, at 10:35 PM, Amos Jeffries wrote:

On Tue, 7 Dec 2010 19:35:08 -0500, BASDarchive
<basdarchive@xxxxxxxxxxxxxx>
wrote:
On Dec 7, 2010, at 5:13 PM, Amos Jeffries wrote:

On 08/12/10 05:32, donovan jeffrey j wrote:
greetings

i recently updated my transparent proxy to sq 3.1.9, which also uses
squidguard for url filters.

First "best practice" is to use the right terminology.
sorry i forgot we changed that ;)

Your log traces says "Accepting  intercepted HTTP connections at
10.0.2.3:3128"  So they are NAT interception connections.

yes I am using NAT after Squid.

client --->  [ squid ] ---->  [ NAT ] --->


??
interception proxy is done with NAT before squid. Doing NAT on the
outside looping back into Squid could be causing the long waits you saw.

clients<-->  NAT snips -->  World
             \NAT<-->  Squid<-->  World

thanks for the reply.

So should I have my squid box after my firewall ? my clients access through the squid box and through the NAT firewall

say client 10.10.1.1 ------- [ squid 10.10.1.2  --- 10.11.1.2 ] --------------->  [ NAT Firewall ] ------------->  [ bgp router to internet ]
ive had this setup for years. the 10.11.1.2 has a Static NAT translation so all clients pass through the squid.


It sounds like you are trying to describe a traffic flow of:
 client --> 10.11.1.2 --/NAT/--> Squid --/NAT/--> Firewall ---> Internet

In order to do NAT interception (aka "transparent proxy") the relevant DNAT or REDIRECT has to be done between the client and Squid.

The traffic going out from Squid has to void being looped back to Squid but that is all that matters.
<snip>

#no cache settings
no_cache deny noc
no_cache deny admin
no_cache deny hs
no_cache deny ms
no_cache deny ele
no_cache deny all

"no_cache" has been renamed to "cache".

so,

i can use just cache deny all

Yes if you really want that.



NP: Following a list of denials with "deny all" is a waste of CPU cycles.
The rules all collapse down to a single "deny all" action.


http_access allow manager localhost
#http_access allow manager apache
http_access allow noc
http_access allow admin
http_access allow hs
http_access allow ms
http_access allow ele
http_access deny all

#Squid's user and group
cache_effective_user squid squid

Only one entry on this line. Second one is dropped.

which one is dropped ? should it only be "cache_effective_user squid "

Yes, it should be "cache_effective_user squid"
<snip>

For NAT interception proxy in 3.1 it should now be this:

  http_port 3128
  http_port 3129 intercept

(3129 being some unusual port only known between NAT and Squid)

so even this " http_port 10.0.1.2:3128 transparent " is outdated ?


Yes, the confusing "transparent" keyword is deprecated.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux