Search squid archive

Re: How to disable squid nat

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 25/05/2012 10:31 a.m., Luis Candia wrote:

Hi, we have a proxy to control the acces to Internet to the Lan users
and it is working right. Now I want to install a Router capable to do
a traffic shaping using the original ip addres of the LAN users, but
the router just can see the external IP of the squid server, I tried
to disable this kind of NATing that is doing the squid server but no
success. Please I need your help.

Luis Candia


Several points you need to understand before I give any solution....
1) This is how HTTP operates. It is a protocol with explicit specification for multiple hops during both request and response delivery. Those hops are i teh HTTP protocol layer, not the TCP or IP packet layers. Any given TCP connection of HTTP may contain multiple HTTP requests, each of which comes from one or more end-users.
2) Squid *is* the client of the router. Requests sent by Squid are *not* the same requests sent by the clients contacting Squid. They have been received and processed by Squid, some of them may be servered by Squid, some of them may need requests to another server to fulfill. Squid will then alter the request an pass it on. These latter are the requests from Squid->Internet which you are trying to control, at the TCP/QoS level any relation they have to an end-user is mere coincidence.
One you are clear on those, it should be clear that to remove the NAT-like behaviour from HTTP requires disabling one the major performance benefits offered by HTTP (persistent connections with pipelining and multiplexing). 


You have several options:
1) use Squid HTTP-level access and service controls. These include several ways of QoS tagging of traffic by Squid. ie no need for the router to know the lient internal IP, just to process the transaction TOS properly.
2) use a router software which supports HTTP relay/proxy itself and can identify the HTTP X-Forwarded-For headers added by Squid (enabling forwarded_for in squid.conf if its disabled).
3) setup Squid as a TPROXY interception proxy. Which retains the TCP-level IP address info across the Squid software processing stage. This does exactly what you ask for but breaks the HTTP multiplexing features annoying you, and a few others such as: authentication, DNS offloading, and non-HTTP protocol gatewaying. 

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux