On Fri, Dec 2, 2016 at 6:27 AM, klops <lo.kenneth@xxxxxxxxx> wrote:
Does this mean the squid box has to be the overall gateway for the internal
network for transparrancy to work?
The reason the proposed setup the way it is is because AWS VPC service has
a service based NAT gateway which we have not low level control over and it
is the default gateway. We want to only route http/https traffic over to
squid and the rest via their NAT gateway
Couldn't you configure those VPC networks so that the AWS default route is dead by blocking all outbound (ie of no useable value to the EC2 hosts) and tell the EC2 hosts owners to change their boot scripts to delete the default gateway and replace it with your squid router? (which does have Internet access). That way you are "regaining control" of your network, and EC2 owners are "motivated" to Do The Right Thing :-)
Then there'd be no need for iptable tricks on the clients. Also means you could apply this to Windows EC2 systems too
I'm not an AWS guru so I have no idea if that works. I'm assuming a VPC is like a VLAN
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users