Search squid archive

Re: Newbie Help - Is this Possible?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 20/10/2013 7:07 a.m., Aaron Wright wrote:
But if you place it so that the traffic flows through the proxy between the router it still has to be aware of routing, it has to know who it's clients and servers are.
Hmm. At that point, squid would only have one client, right? The router. And the servers would be whoever the router was sending the packet to in the first place.

 ... "in HTTP there are no packets. Just messages."

As some have mentioned it does not matter where Squid is located in the network. Your router needs to *route* the clients port 80 packets to the Squid box as if the Squid box were an upstream router. The packets need to still retain the original client IP:port and original destination server IP:port details up until the point they reach Squid.

The intercept is then properly setup on the Squid box itself so Squid has access to those original IP details on the packets. Squid MAY (or may not) route the packets back through the router on their way to the real destination. IMPORTANT: if the packets go through the router after Squid it needs to identify the packets from Squid and prevent looping back to Squid again.


  That's the part I don't yet understand, but it seems as if everyone agrees that the squid box needs to be setup to access the internet. I was hoping to pull off something more transparent, but I might have been dreaming.

The Squid box does more in HTTP than just relaying packets. Some of those things, like finding faster connection paths than the client knows about and ensuring the destination site is not being spoofed require Internet connections independent of the client packet details.

FWIW: Squid is designed to optimize HTTP, which means taking advantage of HTTP multiplexing and persistent connections whenever it can. The server outgoing connections from Squid are fully independent of the incoming client ones and any given destination server may have multiple client requests to several of its IPs collated and sent to just one of its IPs.

To cut a long comparison short; do not confuse proxies with tunnels. The properties are VERY different.


  I'd say the easy way to do this is to put it inside your private network and point the PCs to use it as proxy or configure your router to use it.
If I was using DD-WRT on my router, what settings should I be looking at to redirect internet traffic to squid. And I assume I don't want to redirect internet traffic from squid. I can't think of how to do that off the top of my head.

This router configuration example was written for OpenWRT and DD-WRT originally:
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

As you can see it contains two router iptables configuration snippets. One for when Squid is between router and Internet, one for when Squid is behind the router / amongst the clients.

NP: the one for when Squid is amongst the clients depends on Squid IP so only works as-is when NAT intercept is done (easiest). For anything more than semi-transparent you have to play around with routing by TOS values.

The Squid box has a separate configuration to the router. eg one of these:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect


Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux