On Wed, 26 Jan 2011 11:11:21 -0500, "Winfield Henry" wrote: > Thanks for input. I have managed to get it functioning by using a conf > file from alternate proxy. Looks like the difference is in the http_port > line. To get this working it needed 'transparent'. Originally I did not put > this in because the firewall was directing port 80 traffic to 3128 on the > proxy box (evidently causing the issue with the broken url). We have a lot The separate box setup means you cannot trust any IP address in your log files to be 100% true. Squid performs NAT lookup in the local kernel tables when in NAT interception (aka "transparent") mode the result is used. The fact that it works and logs the firewall as source IP when a separate box is doing the NAT is a legacy hack which renders several security problems undetectable. We will be fixing that soon. > of 'frozen' desktops that are using the firewall as gateway and this can > not be changed easily, so the rule was put in to send port 80 to 3128 on > proxy, then allow proxy box outside access. Solution: * Make the firewall rule a routing rule to pass packets without NAT to the proxy box. * Make the proxy box perform the DNAT/REDIRECT. (TPROXY if possible would be better) * For the NAT part use a random dedicated port. It only needs exist between squid and the kernel so can be firewalled closed from the world. Amos
