On 27 June 2015 at 16:33, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 27/06/2015 10:02 a.m., Alex Samad wrote: >> Hi >> >> Sorry missing something here. >> >> I thought this was a mikrotek rtr , presumably acting as a default >> gateway for the local lan to the internet. >> it has a DNAT rule to capture all internet traffic that is port 80 >> (and presumably at some point in time port 443) and it DNATS it to the >> SQUID box. >> >> and there needs to be a special rule on the DGW to allow squid access >> out to the internet with out resending it back to the squid and >> creating a loop. >> >> from memory thats how I used to do this. unless the DGW is large >> enough to run squid, then DNAT to the local box and onto squid. > > Yes, a lot of people used to do it that way. The problem was > CVE-2009-0801 vulnerability allowed attackers script to send any request > to Squid claiming an arbitrary server Host: header and get that content > both delivered back as if it was to some other domain the client thought > it was connecting to and injected into Squid cache for other clients to > be affected by in the same way. > > That is no longer permitted since Squid-3.2. The DNAT can only happen > once, and that must be on the Squid machine so Squid can lookup the NAT > tables and unmangle the original dst-IP. > > You need to use routing rules on the Mikrotik (or tunnel sometimes works > too) to deliver the original client generated packet to the Squid > machine without NAT changing the dst-IP:port details (SNAT is fine, but > will cause lies about client IP in the access.log). Okay good to know. Alex _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
