Search squid archive

Re: intercepting traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 20/11/2015 1:09 p.m., Brendan Kearney wrote:
> when i put in just the DNAT that sends the traffic to the proxy VIP and
> load balances the requests to the squid instances on port 3128 (not the
> intercept port), i issue a curl command:
> 
> curl -vvv --noproxy squid-cache.org http://squid-cache.org/
> 
> and get an error page saying:
> 
> ...
> <p>The following error was encountered while trying to retrieve the URL:
> <a href="/">/</a></p>
> 
> 
> is the DNAT stripping header info, such as the Host header, or am i
> still missing something?

HTTP != TCP/IP ... DNAT is only changing the IP:port details.

Whatever is receiving the packet from DNAT has to also translate the
HTTP layer messages from origin relative-URI format to intermediary
absolute-URI format.

That rule-of-thumb "MUST rule" you mentioned earlier is about those two
DNAT and HTTP translation operations being required to be done together
on the same machine. It is not limited to Squid. It could be HAProxy or
some other LB software responsible for doing it.

Squid is just the only software which actually tells you up front about
the issue, instead of leaving other software later on down the transfer
chain (possibly in somebody elses network) to break with errors like you
see above.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux