On 16/07/2014 9:23 a.m., Nicolás wrote: > Thanks! That would indeed cover the first issue :-) I initially used > redirect because somewhere I read that it's not a good idea forwarding > the traffic directly to the port where squid listens and it should be > pointed to another port instead and then redirected. Sounds like you read one of my explanations and did not quite get it. Hope this helps clarfy: That is all true regarding *intercepted* port 80 traffic. The traffic which is actually destined to a webserver directly. For traffic such as your testing with (CONNECT etc) on non-80 ports the traffic is destined to a proxy. So the NAT IP addressing does not matter and the security checks on the interception do more harm than good. This is why you should keep the ports separate. Because the traffic on port 80 and the traffic destined to a proxy are quite different beasts. > However, working as > this, it would be enough to set a firewall policy to permit just the > client range of IPs. Let's see whether I can solve the second issue too... > Yes, if I am understanding you that firewall policy should be needed regardless of whether you are dealing with explicitly configured clients or intercepting the port 80 traffic. Amos
