On 1/10/2016 12:27 a.m., Henry Paulissen wrote: > Hi Matus, > > > On 30-09-16 12:36, Matus UHLAR - fantomas wrote: >> On 29.09.16 16:39, Henry Paulissen wrote: >>> In the company I work for we are currently using squid v2 proxies in >>> transparent mode to intercept traffic from servers to the outside >>> (access control). >>> >>> The technical solution for this is roughly as follows: >>> [server] -> [gateway] -> [firewall] >>> | >>> ----------- DNAT --------- >>> v >>> [squid] -> [gateway] -> [firewall] -> [internet router] >> >> this is a bad configuration. The firewall in the path should NOT use DNAT, >> since it makes the important part of connection (destination IP) invisible >> to squid. >> > > That is where the HTTP Host header can be used for... For squid to > figure out the destination of the request. (aren´t they?) That is what it was intended for 20 or so years ago. But times change and nowdays we have to deal with browsers that can be sent a scimple script and instructed to do all sorts of nasty things in the traffic. If you want the gory details you can find my prvious answers to people asking this same question repeatedly over the last 5 years. The TL;DR is: no, that is no longer safe to do and Squid will not do it any more. Simply dont use DNAT on the port 80 (or 443) packets before they hit the machine running Squid. Routing is a more powerful feature than most realize, make use of it. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
