Re: Transparent Proxy

On Tue, 8 Jun 1999, Thilo Manske wrote:

> > > Case 1:
> > > Jun 8 17:26:17 proxy3 squid[249]: WARNING! Your cache is running out of
> > > filedescriptors
> > >
> > Simple overload, but might need kernel patch and rebuild,
> > or change of OS.
> No, for *BSD sysctl -w kern.maxfiles=<maxnumbers> is enough.

Yup, that's we have done.

> But you have to reconfigure and rebuild squid after that since the maximum
> number squid uses is hardcoded into the binary.

This is what we haven't done. I thought doing sysctl -w was enough. Well,
I have re-compiled our Squid after I put sysctl -w kern.maxfiles=1000000,
and the error message no longer occurs. Is that crazy enough? :-)

> But since *BSD defaults are quite high (eg. >1700 for 32 users on NetBSD)
> I think something is going really wild here:
>
> > > Case 2:
> > > Jun 8 17:26:30 proxy3 squid[249]: WARNING: Forwarding loop detected for:
> IIRC a router made the redirection of port 80 to the squid.
> But if squid fetches through the router there must be an exception of the
> redirection rules for the squid box to prevent squid's fetches to "bounce"
> back from the router.

I have put the filter on our Cisco router, so the router will not redirect
the packets originated from our Squid box. I follow Duane's steps in the
Squid's FAQ.

I put my access-list as follows:

access-list 110 deny tcp host X.X.X.X any eq www
access-list 110 permit tcp any any eq www

and my route-map as follows:

route-map TRANSPARENT-PROXY permit 10
 match ip address 110
 set ip next-hop X.X.X.X

while X.X.X.X is the IP address of my squid box. Does it mean that the
router will re-direct all www (port 80) packets to the squid box *except*
for packets originated from the squid box?

Thanks.

-ip-
Received on Wed Jun 09 1999 - 02:44:40 MDT