Amos,
> There is a different config example for REDIRECT <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>
Ty, I'm going to try it using REDIRECT. I was unwilling to follow the DNAT guide because of having to enable ip-forwarding in a non-router machine. The REDIRECT version seems cleaner and is similar to what I've being doing using the embedded proxy on the Mikrotik router.
Antony,
> That won't work. You *must* perform the DNAT on the machine running Squid
Just for curiosity's sake, why there is such restriction? I thought squid didn't entered the picture until after DNAT was done, and that by then it wouldn't know where it happened. Does it somehow queries the system to know the original request destination? Wouldn't simply relying on the HOST header of the request suffice?
Ty.
2016-07-21 3:07 GMT-03:00 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On 21/07/2016 8:50 a.m., Antony Stone wrote:
> On Wednesday 20 July 2016 at 22:44:46, Bruno de Paula Larini wrote:
>
>> Em 20/07/2016 17:10, Antony Stone escreveu:
>>>
>>> You *must* perform the DNAT on the machine running Squid, which means that
>>> the packets from your clients must pass through the Squid server, either
>>> because it is in the default route, or because you use some form of policy
>>> routing (not NAT) to direct port 80 requests through it.
>>
>> If that's the case I think it would be better if the document instructed
>> to use REDIRECT --to-port instead DNAT as an implicit way to explain that.
Primarily because the document you are looking at Bruno is the one for
DNAT. There is a different config example for REDIRECT
<http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>
>
> What is unclear about:
>
> *NOTE:* This configuration is given for use *on the squid box*. This is
> required to perform intercept accurately and securely. To intercept from a
> gateway machine and direct traffic at a separate squid box use policy routing.
>
> ?
>
>
> Antony.
>
As to why we even have a DNAT page. That is because at high traffic
loads DNAT is measurably faster for iptables to perform than REDIRECT.
On machinery where the IPs are static and performance is needed, DNAT
*on the same machine* is the best way to go.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users