[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Transparent squid proxy

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Transparent squid proxy
From: Jason Dixon <jason_(_at_)_dixongroup_(_dot_)_net>
Date: 29 Apr 2003 12:59:59 -0400
Organization: DixonGroup Consulting

I'm attempting to get a transparent proxy working with Squid and NAT,
using Daniel's instructions (http://www.benzedrine.cx/transquid.html). 
Using a manual proxy on the clients, Squid works fine.  However, when I
try to do the transparent rdr, all requests get forwarded to the remote
server's port 3128, instead of http.  This behavior has been confirmed
via error pages, access.log, and tcpdump.

Most of the examples I've seen use bridging, rather than NAT, so I
wonder if the NAT/RDR combination is causing a glitch I'm not seeing. 
I've also seen conflicting evidence regarding the httpd_accel_port
setting.  Daniel's paper and the Squid documentation both suggest that
it should be set to 0, while some posts in the archive and the Linux
Transparent Proxy HOWTO say 80.  I've tried both, same effect.

Any help would be greatly appreciated.  TIA.

[network]
Internet <--> dc0/OpenBSD3.3/dc1 <--> 192.168.0.0/24

[/etc/squid/squid.conf]
#http_port 127.0.0.1:3128
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl our_networks src 192.168.0.0/24
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow our_networks
http_access deny to_localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_reply_access allow all
#icp_access allow all
coredump_dir /var/squid/cache
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

[pfctl -vsn | grep 3128]
rdr on dc1 inet proto tcp from any to any port = www -> 127.0.0.1 port
3128

[pfctl -vsr | grep 3128]
pass in on dc1 proto tcp from any to any port = 3128 modulate state


-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Follow-Ups:
- Re: Transparent squid proxy
  - From: Brandon Williams

Prev by Date: ELF migration
Next by Date: Re: NIC card recognized but not activated during install
Previous by thread: ELF migration
Next by thread: Re: Transparent squid proxy
Index(es):
- Date
- Thread

Visit your host, monkey.org