Search squid archive

Re: External nat'ed transparent proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

+1 for Amos direction.
I am still trying to understand what is the difference between a router and a switch since they seems to have the same CPU but missing one or two embedded instructions.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx


-----Original Message-----
From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Amos Jeffries
Sent: Friday, September 30, 2016 20:36
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  External nat'ed transparent proxy

On 1/10/2016 12:27 a.m., Henry Paulissen wrote:
> Hi Matus,
> 
> 
> On 30-09-16 12:36, Matus UHLAR - fantomas wrote:
>> On 29.09.16 16:39, Henry Paulissen wrote:
>>> In the company I work for we are currently using squid v2 proxies in 
>>> transparent mode to intercept traffic from servers to the outside 
>>> (access control).
>>>
>>> The technical solution for this is roughly as follows:
>>> [server] -> [gateway] -> [firewall]
>>>                              |
>>>    ----------- DNAT ---------
>>>   v
>>> [squid]  -> [gateway] -> [firewall] -> [internet router]
>>
>> this is a bad configuration. The firewall in the path should NOT use 
>> DNAT, since it makes the important part of connection (destination 
>> IP) invisible to squid.
>>
> 
> That is where the HTTP Host header can be used for... For squid to 
> figure out the destination of the request. (aren´t they?)

That is what it was intended for 20 or so years ago. But times change and nowdays we have to deal with browsers that can be sent a scimple script and instructed to do all sorts of nasty things in the traffic. If you want the gory details you can find my prvious answers to people asking this same question repeatedly over the last 5 years.

The TL;DR is: no, that is no longer safe to do and Squid will not do it any more. Simply dont use DNAT on the port 80 (or 443) packets before they hit the machine running Squid. Routing is a more powerful feature than most realize, make use of it.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux