Re: [squid-users] Really transparent proxy

From: Chris Robertson <crobertson@dont-contact.us>
Date: Wed, 16 May 2007 14:45:34 -0800

Facundo Vilarnovo wrote:
> Chris,
>
> Thanx for your quick answer.
>

You are welcome, but please don't top-post . It makes referencing
messages in the archive much more difficult by ruining the flow of a
conversation.

> We´ve also tried that, now that you mencion it, we are still trying a few combinations of the following lines.
>
> header_access Via deny all / none
> header_access X-Forwarded-For deny all / none
> via off / on / deny
> forwarder_for off / on / deny
>

Defining "header_access Via deny all" will prevent your Squid from
passing ANY Via headers. Also specifying "via on" (or "via off") is
superfluous. Same thing for "header_access X-Forwarded-For deny all".
Be sure you have not changed the definition of the "all" ACL. An
earlier post shows it intact.

>
> The best result we´ve got is that is not detecting the proxy server..........but it is still going out with proxy ips.
>

I maintain, that is an odd result.

>
> Some conclusion left we are studying are:
>
> -Our squid has only one nic, not two like lots of examples here. (eth0 + gre0)
>

If I'm not mistaken, gre0 is a virtual interface, not a physical one.

> -We are using REDIRECT in iptables instead of nat........has anything to do with that?
>

It might. Set the header_access denies I suggested, surf to
http://devel.squid-cache.org/cgi-bin/test with a proxied client and post
the first three lines of the results (source address, via, and forwarded
from).

> -We are trying transparently (not setting proxy con IE) and forcing it.......results are the same i guess?
>

This shouldn't make a difference in how a website perceives the
traffic. Just in how the browser requests it.

Chris
Received on Wed May 16 2007 - 16:45:40 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT