Search squid archive

Re: Mikrotik and Squid Transparent

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 27 June 2015 at 16:33, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
> On 27/06/2015 10:02 a.m., Alex Samad wrote:
>> Hi
>>
>> Sorry missing something here.
>>
>> I thought this was a mikrotek rtr , presumably acting as a default
>> gateway for the local lan to the internet.
>> it has a DNAT rule to capture all internet traffic that is port 80
>> (and presumably at some point in time port 443) and it DNATS it to the
>> SQUID box.
>>
>> and there needs to be a special rule on the DGW to allow squid access
>> out to the internet with out resending it back to the squid and
>> creating a loop.
>>
>> from memory thats how I used to do this. unless the DGW is large
>> enough to run squid, then DNAT to the local box and onto squid.
>
> Yes, a lot of people used to do it that way. The problem was
> CVE-2009-0801 vulnerability allowed attackers script to send any request
> to Squid claiming an arbitrary server Host: header and get that content
> both delivered back as if it was to some other domain the client thought
> it was connecting to and injected into Squid cache for other clients to
> be affected by in the same way.
>
> That is no longer permitted since Squid-3.2. The DNAT can only happen
> once, and that must be on the Squid machine so Squid can lookup the NAT
> tables and unmangle the original dst-IP.
>
> You need to use routing rules on the Mikrotik (or tunnel sometimes works
> too) to deliver the original client generated packet to the Squid
> machine without NAT changing the dst-IP:port details (SNAT is fine, but
> will cause lies about client IP in the access.log).

Okay good to know.

Alex
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux