I'd rather not have to route everything (incl. normal ingoing web
traffic) through the squid box.. and the firewalls are proprietary stuff
- so can't install squid there :)
It works fine in accel mode.. and I can limit what urls each client ip
is able to access, and disable caching..
Shouldn't accel mode, for this use case (curl access from websites - all
using http/1.1 with host header) be good enough - or are there security
issues I am not aware of?
I realize I move the DNS lookup to the squid box - but that's actually
what I want in this case.
Amos Jeffries wrote on 03/12/2015 01:05 PM:
On 13/03/2015 12:27 a.m., Klavs Klavsen wrote:
Klavs Klavsen wrote on 03/12/2015 12:15 PM:
the routing example didn't seem to work :(
As I understand it.. I can't use DNAT on client machine to get packages
to squid box.. and since it's locally generated packages(ie. I want to
capture on the clients - instead of capturing on their default gateway),
the packages only traverse POSTROUTING and OUTPUT..
any hints appreciated :)
You can either, set the clients default gateway to be the Squid machine
which just forwards non-HTTP packets on to the actual gateway router
which is set as Squid machines default gateway.
Or, add policy routing into the gateway router diverting just the port
80 traffic from the real clients (but excluding the Squid machine) to
the Squid machine as its upstream router.
In both those cases both the normal gateway and the Squid machine are
configured as routers with the Squid machine using the real gateway as
its default gateway.
Or, you can run Squid on the main gateway router - provided it has
enough memory for what you want it doing.
You can also physically plug the Squid machine into the network path as
a router before the main gateway router. This is same as the first
option but hard-wired as well as configured.
Capture wont work on client devices because Squid cant make system calls
directly into their remote machines kernel / NAT driver. You end up with
wrong IPs know to Squid and those loops.
So, pick one of the two above options and lets see why the routing is
"not working".
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
--
Regards,
Klavs Klavsen, GSEC - kl@xxxxxxx - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users