On Tue, 18 Oct 2011 23:23:44 +0400, zozo zozo wrote:
> Does it mean that now intercepting squid can only work on the
gateway machine?
No. It means that routers like yours need to be configured for
policy
routing (aka "packet forwarding") instead of NAT port mapping (aka
"port
forwarding").
This config was written particularly for the *WRT use case (but
applies
to any Linux router):
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
Can you please make it even more clear:
Squid 3.2 can be used on a separate machine and be transpanrent only
if it's directly connected to the routing machine, right?
Okay, to be clear:
"transparent" is a confusing word. By itself it means several
different and non-overlapping things. Other words are always needed to
clarify *what* is transparent.
Interception proxy is purely and simply the idea of getting packets
into Squid when they should have been delivered elsewhere. NAT is _one_
form of interception.
routing is how packets move around. In this case we are concerned with
getting some port 80 packets to arrive on the Squid box. Nothing more.
Interception and routing are unrelated operations. What I am talking
about is using one (routing) to feed the other (interception) with
packets. So the overall system is called "transparent interception
proxy" or some such.
Because routing tables can only send packets to gateways directly
connected to them?
BUT the machine receiving can itself be a router gatewaying the packets
to another. You can chain as many routers as you like, it just adds a
lot of complexity to be managed.
I.e. I can't put my transparent proxy to internet, I need it to be in
same IP space as my network interface?
You can put it anywhere you like. There are only two requirements:
1) NAT happens on the same OS.
So Squid can have direct access to the NAT data to undo the
destination IP erasure.
2) Squid needs access to the same DNS as the clients.
To verify the packets destination IP matches the HTTP requested
domain.
Could I do it in 3.1?
Yes these requirements are only strictly enforced in 3.2+, but
following them improves reliability and security on all Squid.
Amos
