Search squid archive

Re: Re: IPv6 + Intercept proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 31/10/2013 9:18 a.m., WorkingMan wrote:
Mike Cardwell <squid-users <at> lists.grepular.com> writes:

* on the Wed, Oct 23, 2013 at 05:14:00PM +1300, Amos Jeffries wrote:

   For starters NAT has never been "transparent proxy". NAT is the lazy
admins replacement, using the proxy IP on outbound to avoid having to
setup proper routing rules.
For the real Transparent Proxy use TPROXY interception ("TPROXY" being
an abbreviation of "transparent proxy"
Thanks. I was not aware of TPROXY. That sounds like a superior solution.


Anyone updated the guide with SQUID 3.3 and newer linux kernel (3.11,ex: with
ubuntu 13)?

My coworker said TPROXY way doesn't route the traffic to remote host
correctly.

True. TPROXY does not do routing at all, which may explain that.

Routing is additional configuration you must setup in the network to allow TPROXY to do its thing without causing problems.

  He tried this few months ago. I think we need a up to date guide on
transparent proxy for remote host (with concrete example that works). I
followed too many guides that don't work.

TPROXY is not routing. It is packet interception, taking a packet from the kernel TCP stack and delivering it to a local process running on that machine. Taking packets from that same local process marked with a special TPROXY flag and allowing them to be routed despite having a src address of a different machine (spoofing is normally prohibited by the kernel).

Simple really. But it places a lot of requirement pressure on the networking and routing to handle the packets properly.

The alternative for remote host is policy based routing (if you followed my
other thread on this for ipv4 but ipv6 should not be too different). But as I
said before I am not able to make it work.

Unfortunately the policy routing is mandatory whenever there are alternative routes for the packets to travel over which bypass the interceptor proxy.

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux