I finally got Squid working correctly for concurrent transparent
proxy (port 80) and non-transparent proxy (port 3128) under BSD/OS
4.0.1 with a ServerIron. I've run into a few issues I'm still trying
to finish working out with the Foundry folks - not to do with Squid,
more with issues about how VLANs work and how servers get assigned to
groups in their switch firmware - but I believe I've solved one problem
that was confusing me and affects anyone in this particular scenario.
The default rules given in the FAQ for IP filters are:
/etc/ipnat.rules:
# Redirect direct web traffic to local web server.
rdr de0 1.2.3.4/32 port 80 -> 127.0.0.1 port 80 tcp
# Redirect everything else to squid on port 8080
rdr de0 0.0.0.0/0 port 80 -> 127.0.0.1 port 8080 tcp
(where de0 is the ID of your physical Ethernet interface, and 8080 is
the port you're running Squid on.)
I *think* the first line, leaving presumed web traffic on port 80 and
not switching it to Squid, is interfering with the automatic "health
checks" that the ServerIron does on cache servers, and may be causing
the switch to think that the cache server is down (because it's not
responding to queries) and to refuse to route traffic to it. I'm not
completely sure on this, and haven't verified it with Foundry yet,
though I have some questions in to them, but it's a complex surprise
"gotcha" if so.
(Also, warning for anyone else running IP filters with BSD/OS - if
you're running BSD/OS 4+, and don't have full source, you need to get
patched object for certain files from the latest ip-filters beta
distribution. You also will need to change the major device number in
the device creation scripts. This was a bit more work than I'd
expected.)
-- Clifton
-- Clifton Royston -- LavaNet Systems Architect -- cliftonr@lava.net "An absolute monarch would be absolutely wise and good. But no man is strong enough to have no interest. Therefore the best king would be Pure Chance. It is Pure Chance that rules the Universe; therefore, and only therefore, life is good." - ACReceived on Wed Jun 30 1999 - 16:32:17 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:47:04 MST