Search squid archive

Re: Re: Three questions about Squid configuration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 18/07/2014 7:25 a.m., Nicolás wrote:
> Ok, I'll try to explain the scenario again and more detailed (I remark
> that I'm using this guide which states that it should work for public IP
> addresses: http://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource):
> 
> Client side: Has public IP address A.B.C.D
> Server side: Has public IP address E.F.G.H
> 
> On the client side, I added the following iptables rule:
> 
>     iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination
> E.F.G.H:3128

Okay. The situation seems clear now. This rule is capturing both the
client UA output traffic and Squid output traffic.

You need the rule omitting Squid from being catured. The config example
should have mentioned it, I have added that now.

iptables -t nat -A OUTPUT --match owner --uid-owner proxy -p tcp --dport
80 -j ACCEPT

Note the one you tried earlier and failed was in PREROUTING, not OUTPUT.
This should be the correct one.



NP: you could also use REDIRECT instead of DNAT if you want to avoid
figuring out the server/client "side" IP address issues. But try the
above iptables rule in your existing config first to confirm if it works
before moving on to that change.


<snip>
> access.log:
> 
>     1405623902.957      0 A.B.C.D TCP_MISS/403 4300 GET
> http://google.es/ - HIER_NONE/- text/html
>     1405623902.958      1 A.B.C.D TCP_MISS/403 4419 GET
> http://google.es/ - HIER_DIRECT/E.F.G.H text/html
> 

Note that these are in order of completion rather than order of
initiation. The second line is the first request (cleint->server
intercepted into Squid) the first line is the squid->server looped request.

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux