> > 1) why intercept mode fails (do I need any special rule on my remote SQUID > > box?) with access denied for all requests > > Where is the NAT/TPROXY interception happening for (1)? > > It is required to be done directly on the Squid machine, with packets > sent to that machine by *routing* or *tunnelling* (VPN) in such as way > as the TCP packet IP:port details st by the client are completely > untouched by the network before they hit the Squid machine. > Typically in the past your type of setup has used NAT at the client end > (it was "easy"), which actually erases the destination IP details and > replaces them with the Squid machine IP:port. The problems this caused > were hidden for a long time but recent security checks are preventing > the Host header being used to determine the outbound connection when > they occur. For now Squid preserves the behaviour the client would have > seen by going to the TCP destination IP:port ... "redirection" is done from VPN server to SQUID server. I don't have special routing on SQUID's server the reason is that from VPN server I can query external web site if I use non-intercept port (I have one that has "intercept" and one without). So I assume routing is working fine. The command I used is curl -x http://<SQUID IP>:PORT www.cnn.com Let me know if I need to add additional iptables rule for this to work. If I enter the proxy info wrong curl just waits there (probably till timeout). If address/port are correct but SQUID was not running I will get connection refused. So it tells me routing from VPN to SQUID for port 80 seems to work but "intercept" is the reason I get access denied (I can't figure out why yet even with full log). Where in the full log can I know why I get access denied? > > > 2) in non-intercept mode why VPN client would have the missing hostname in the > > request. > > > > (2) is not clear what you mean. What do you see that is indicating a > missing hostname ? When I say hostname is missing. It means I get (see my first post) NONE/400 3544 GET / instead of TCP_MISS/403 3544 GET www.cnn.com/ I also use "cache deny all" (and http_access allow all, I assume that allows access to everything, see my first post for full config I have except these two) to use no cache not sure if that affect the out come? I also had an adapter which is disabled right now but even enabled produce the same result so it shouldn't matter (just thought to mention that. Thanks
