On 20/11/2015 1:09 p.m., Brendan Kearney wrote: > when i put in just the DNAT that sends the traffic to the proxy VIP and > load balances the requests to the squid instances on port 3128 (not the > intercept port), i issue a curl command: > > curl -vvv --noproxy squid-cache.org http://squid-cache.org/ > > and get an error page saying: > > ... > <p>The following error was encountered while trying to retrieve the URL: > <a href="/">/</a></p> > > > is the DNAT stripping header info, such as the Host header, or am i > still missing something? HTTP != TCP/IP ... DNAT is only changing the IP:port details. Whatever is receiving the packet from DNAT has to also translate the HTTP layer messages from origin relative-URI format to intermediary absolute-URI format. That rule-of-thumb "MUST rule" you mentioned earlier is about those two DNAT and HTTP translation operations being required to be done together on the same machine. It is not limited to Squid. It could be HAProxy or some other LB software responsible for doing it. Squid is just the only software which actually tells you up front about the issue, instead of leaving other software later on down the transfer chain (possibly in somebody elses network) to break with errors like you see above. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users