On 10/12/10 02:37, BASDarchive wrote:
>
> On Dec 7, 2010, at 10:35 PM, Amos Jeffries wrote:
>
>> On Tue, 7 Dec 2010 19:35:08 -0500, BASDarchive
>> <basdarchive_at_beth.k12.pa.us>
>> wrote:
>>> On Dec 7, 2010, at 5:13 PM, Amos Jeffries wrote:
>>>
>>>> On 08/12/10 05:32, donovan jeffrey j wrote:
>>>>> greetings
>>>>>
>>>>> i recently updated my transparent proxy to sq 3.1.9, which also uses
>>>>> squidguard for url filters.
>>>>
>>>> First "best practice" is to use the right terminology.
>>> sorry i forgot we changed that ;)
>>>>
>>>> Your log traces says "Accepting intercepted HTTP connections at
>>>> 10.0.2.3:3128" So they are NAT interception connections.
>>>
>>> yes I am using NAT after Squid.
>>>
>>> client ---> [ squid ] ----> [ NAT ] --->
>>>
>>
>> ??
>> interception proxy is done with NAT before squid. Doing NAT on the
>> outside looping back into Squid could be causing the long waits you saw.
>>
>> clients<--> NAT snips --> World
>> \NAT<--> Squid<--> World
>
> thanks for the reply.
>
> So should I have my squid box after my firewall ? my clients access through the squid box and through the NAT firewall
>
> say client 10.10.1.1 ------- [ squid 10.10.1.2 --- 10.11.1.2 ] ---------------> [ NAT Firewall ] -------------> [ bgp router to internet ]
> ive had this setup for years. the 10.11.1.2 has a Static NAT translation so all clients pass through the squid.
>
It sounds like you are trying to describe a traffic flow of:
client --> 10.11.1.2 --/NAT/--> Squid --/NAT/--> Firewall ---> Internet
In order to do NAT interception (aka "transparent proxy") the relevant
DNAT or REDIRECT has to be done between the client and Squid.
The traffic going out from Squid has to void being looped back to Squid
but that is all that matters.
<snip>
>>>
>>> #no cache settings
>>> no_cache deny noc
>>> no_cache deny admin
>>> no_cache deny hs
>>> no_cache deny ms
>>> no_cache deny ele
>>> no_cache deny all
>>
>> "no_cache" has been renamed to "cache".
>
> so,
>
> i can use just cache deny all
Yes if you really want that.
>
>>
>> NP: Following a list of denials with "deny all" is a waste of CPU cycles.
>> The rules all collapse down to a single "deny all" action.
>>
>>>
>>> http_access allow manager localhost
>>> #http_access allow manager apache
>>> http_access allow noc
>>> http_access allow admin
>>> http_access allow hs
>>> http_access allow ms
>>> http_access allow ele
>>> http_access deny all
>>>
>>> #Squid's user and group
>>> cache_effective_user squid squid
>>
>> Only one entry on this line. Second one is dropped.
>
> which one is dropped ? should it only be "cache_effective_user squid "
Yes, it should be "cache_effective_user squid"
<snip>
>>
>> For NAT interception proxy in 3.1 it should now be this:
>>
>> http_port 3128
>> http_port 3129 intercept
>>
>> (3129 being some unusual port only known between NAT and Squid)
>
> so even this " http_port 10.0.1.2:3128 transparent " is outdated ?
>
Yes, the confusing "transparent" keyword is deprecated.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3Received on Fri Dec 10 2010 - 03:28:03 MST
This archive was generated by hypermail 2.2.0 : Fri Dec 10 2010 - 12:00:01 MST