On Thu, 10 Dec 2009 01:55:48 +0500, "Asim Ahmed @ Folio3"
<aahmed_at_folio3.com> wrote:
> Hi,
>
FWIW, what you are talking about is NAT interception, not true
transparency.
I'm trying to get people to clean up the talk since Squid-3 is now moving
towards true 'tproxy' transparency plus NAT interception plus invisible
proxy plus anonymous proxy modes. It gets _really_ confusing when many
helpful responses come back assuming different particular modes.
> I need an expert opinion on best suitable setup for my requirement. I am
> running shorewall 4.4 on RHEL 5 for NATTING/FIREWALLING. I've installed
> SQUID-3.0STABLE20-1 on that same machine as well. Shorewall is
> REDIREC-ing port 80 traffic to squid. Currently Squid was running in
> transparent mode until I found that almost all users were having very
> frequent breaks in internet. I configured client browsers with
> squid-server address as http proxy with port squid was running on. This
> worked and internet problem solved.
> My question is that is that a common problem with squid running in
> transparent mode with shorewall?
Not sure. Only a few people have asked here about shorewall + Squid issues
in the last few years, the others were all solved by fixing configuration
problems.
Shorewall is just a very abstracted script wrapper for iptables-restore,
so there is no real reason why it should matter.
NAT interception has problems all of its own which you may be hitting
regardless of shorewall.
> When I've configured client browsers with http proxy address, now it is
> no more a transparent proxy, is it?
Correct.
> so should i change it to
> non-transparent mode?
Yes, you should not have the normal (configred) clients going to the same
port as intercepted requests.
I'm advising people who may need to retain the "transparent" mode to use a
random port for the interception requests. Doing so will prevent regular
proxy users from gaining access to the security bypass XSS vulnerabilities
in transparent mode. The high random port can be safely firewalled to
increase security. Only the firewall doing REDIRECT or DNAT and Squid need
to have access to it.
> What is the main advantage / drawback of running squid in
> transparent/non-transparent mode?
The big one is http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0801
The smaller problems are additional processing of NAT, the regular NAT
issues with IP mapping and loss of IP information in transit, doubling DNS
load on the network (client does IP lookups, then squid does IP lookups),
and older HTTP/1.0 and HTTP/0.9 clients which don't send the Host header
being cut off from the Internet.
The benefits are that all the client software out there (still a lot)
which has no actual proxy support can still work if its only HTTP/1.0
enabled enough to send the Host header correctly.
Interception mode should be seen as a last-resort backup to the regular
configuration methods; manual configuration, and WPAD/PAC "transparent"
auto-configuration (yes, yet another meaning of the word "transparent").
Amos
Received on Wed Dec 09 2009 - 22:53:56 MST
This archive was generated by hypermail 2.2.0 : Thu Dec 10 2009 - 12:00:01 MST