On Feb 16, 2011, at 10:29 AM, Harald Dunkel wrote: > Hi folks, > > I would like to route HTTP traffic from my OpenBSD gateway > to a dedicated host running squid 3.1 on Linux for interception. > Here is a picture: > > /|\ 87.189.95.69 > | > | > em0 | > +--------+--------+ > | OpenBSD Gateway | > +--------+--------+ > em1 |172.99.96.4 > | > |172.99.96.50 > | +-------------------+ > +-------| Linux Squid Proxy | > | +-------------------+ > | > | +-------------+ > +-------| HTTP Client | > 172.99.96.156 +-------------+ > > The iptables code on > > http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat > > was very helpful for small files, but for a large download > on a slow line the http client prints "connection reset by > peer" after 30+ secs, and terminates. > > The state information on the OpenBSD gateway shows > > em1 tcp 87.189.95.69:80 <- 172.99.96.156:45848 CLOSED:SYN_SENT > em1 tcp 87.189.95.69:80 <- 172.99.96.50:51229 ESTABLISHED:ESTABLISHED > em0 tcp 80.149.209.55:64755 (172.99.96.50:51229) -> 87.189.95.69:80 ESTABLISHED:ESTABLISHED > > immediately after the connection has been opened. > The line with "CLOSED:SYN_SENT" goes away when the > client gets the ECONNRESET. > > 30 seconds is the default timeout for removing entries > from OpenBSD's statefull inspection table. Is it possible > that the squid proxy did not complete the TCP handshake > via the gateway, but by using the direct connection to the > client? is squid configured as intercept ( aka transparent ) or as proxy? post squid.conf and we can see whats up. -j > > > Any helpful comment would be highly appreciated. > > Regards > > Harri
