Search squid archive

Re: Zyxel USG20 and Squid 3.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



NP: Its too late now, but please in future start new threads for new
topics. It seriously screws up reading for those of us with threaded
mailers or forum-style mirrors of the mailing list like Nabble.
Yes, this was not planned - I first used the wrong button in my email program (list-answer and not create). But later (before your reply) I also create this new thread - shall we use the other thread for further posts?

Sounds like a nasty recipe for trouble forwarding all your LAN traffic
via somewhere on the Internet to your internal proxy. I hope that is
just terrible documentation on the part of the firewall authors.


The answer to your problem sits in how this firewall feature actually
works...

* If thats a fancy name for NAT or NAPT / port-forwarding then its not
usable to get traffic to Squid.

* If its a mini proxy relaying the traffic then Squid should be setup
with a regular forward-proxy port to receive it.

* If its something else, it may or may not be workable.

Squid requires firewalls and routers on other machines to be doing
Layer-2 (routing) or Layer-3 (tunneling) packet forwarding without the
IP address destroying operations that NAT does.
The ZyXel USG 20 is a linux based hardware router/firewall solution for small business use. I have found a small online overview to the HTTP Redirect functionality. In my opinion - this should work well with Squid?

http://www.manualslib.com/manual/363461/Zyxel-Communications-Zywall-Usg-20.html?page=347#manual

The picture on this site shows exactly my configuration.
On MySquid, a Squid 2.7 stable version is running with this setting:

http_port 3128 transparent

It works fine - any HTTP requests from LAN goes through the MySquid Proxy.

Well it *seems* to work. But only because Squid-2.7 was lying to you in
its logs.

Old Squid like 2.7 would take the most outrageous lies and forgery in
the TCP/IP packets and believe them. But log the HTTP level details and
tell you it was going to the place the client wanted even if the client
would actually have gone to some other server entirely had Squid not
been there in the path.

3.2 and later contain a bit more security to ensure the traffic actually
goes to the server the client was connecting to (ORIGINAL_DST or a
properly DNS listed equivalent with the same domain name).
Could be that it lies - but I also use squidGuard and blocked content is really blocked - so I think that Squid 2.7 should work correctly.

Your firewall though is telling your Squid that the web server the
client was visiting is hosted at SquidIP:3128. NAT lies!

But that is no option - I can't and will not define manual proxy settings for any client in the LAN :-(
No need to fear manual configuration. At the very least WPAD
auto-configuration is your friend.


You also have the easier option of placing the Squid machine physically
in the network path before or after the ZyXel. Configuring the Squid box
as a bridge + router with NAT sending port 80 traffic through Squid
directly on the same box as required to make interception work.
The Squid box should not work as a network device. This is not an option. I think it should be possible to make Squid 3.x work if it was possible with Squid 2.7?

Tkanks, Martin

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux