Search squid archive

Re: problem with squid 3.2 as transaparent proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 26.09.2012 08:02, Giovanni Rosini wrote:

Hi everybody,
on my server i have Linux Centos 5.5 (kernel 2.6.18) and squid 3.2.0.12. I installed squid from source, using –enable-linux-netfilter option in 
configure command.
As a normal proxy (enabled from browser) it works fine, but it doesn’t work 
in transparent mode.
Please upgrade to 3.2.1. Since you build from source it should be just a matter of re-building from the newer sources and installing.
That will resolve the issues inside Squid which you are likely encountering. There are possibly other issues in the network configuration which also need to be fixed as well...
Clients connect via wireless to a Linksys WRT54GL router (with DD-WRT), 
where packets are forwarded to the proxy server.


Forwarded or routed? the difference is critical.
Squid-3.2 is now *actually* performing "transparent" operations on intercepted traffic (older Squid were doing some ALG translation more akin to NAT). Right down to preserving packet destination IP where the client was trying to contact. If your device is using NAT/NAPT (aka 'port forwarding') to re-write the packet destination to be Squid IP:port then the needed TCP details are lost and Squid outgoing connection will have problems using them. 

The golden rule:
* NAT (if any) to push packets into Squid *MUST* be done on the Squid box itself. Not externally.
This config example was written specifically for OpenWRT and similar Linux devices in your situation: http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
Please ensure your WRT device is configured to MARK and route packets to Squid like above config. Do not NAT or port forward on that device. The Squid box itself is where the NAT rules get configured.
NP: that CentOS kernel is too old to support TPROXYv4 but if you upgrade you have the option of
Until now, my system has been working with SQUID-2.6.STABLE21 without any 
problems.
Now, if i use the transparent option in http_port tag (as i did until
yesterday) browser tell me that connection is canceled,
if i don’t specify that option, squid tell me “invalid url”.
Can anyone help me?

Thanks
Giovanni




Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux