On 21/04/2016 2:12 a.m., nkingsquid wrote: > Amos, I have changed the code around a bit to reflect what you guys have been > telling me. The Netscaler is NATing. Security before, after, and around > the device is substantial, I will tweak the coded to reflect that at a later > time, at the moment I am desperately looking for that 1 answer I mentioned > in the post above. > > I did make a mistake originally saying that traffic that did NOT meet the > rules for internal sites goes back to the Netscaler, it will instead go to > another proxy (and various security measures) before it goes out to the > internet. > > That's the code I am looking for. redirect traffic to 2nd proxy if its not > trying to go to an internal resource. > Unfortunately no amount of security checks work in the presence of an interception proxy. By definition the intercept itself is an attack that has to be let through and there are major side effects of the secondary things that become possible once it is through. The security built into Squid itself to prevent CVE-2009-0801 and related holes from bypassing everything else is also substantial and forbids D-NAT being done externally to the machine Squid is running on. Squid requires direct access to the kernel NAT table to de-obfuscate the TCP traffic and validate that it is going to the place the client intended it to. In the event of that validation failing Squid will act transparently and ensure the packets continue where they were supposed to if it were not there. You need to: * policy-route the traffic from the NetScaler to Squid, * do the NAT on the Squid machine dirctly, * use 'intercept' on the http_port receiving the NAT'ed traffic. You can re-NAT the traffic outbound from Squid after it leaves Squid and into your other proxy if you like, or "never_direct allow all". That other proxy will be responsible for its own version of the CVE protections all over again. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users