On Wed, 26 Jan 2011 11:11:21 -0500, "Winfield Henry" wrote:
> Thanks for input. I have managed to get it functioning by using a conf
> file from alternate proxy. Looks like the difference is in the http_port
> line. To get this working it needed 'transparent'. Originally I did not
put
> this in because the firewall was directing port 80 traffic to 3128 on
the
> proxy box (evidently causing the issue with the broken url). We have a
lot
The separate box setup means you cannot trust any IP address in your log
files to be 100% true. Squid performs NAT lookup in the local kernel tables
when in NAT interception (aka "transparent") mode the result is used. The
fact that it works and logs the firewall as source IP when a separate box
is doing the NAT is a legacy hack which renders several security problems
undetectable. We will be fixing that soon.
> of 'frozen' desktops that are using the firewall as gateway and this can
> not be changed easily, so the rule was put in to send port 80 to 3128 on
> proxy, then allow proxy box outside access.
Solution:
* Make the firewall rule a routing rule to pass packets without NAT to
the proxy box.
* Make the proxy box perform the DNAT/REDIRECT. (TPROXY if possible would
be better)
* For the NAT part use a random dedicated port. It only needs exist
between squid and the kernel so can be firewalled closed from the world.
Amos
Received on Wed Jan 26 2011 - 22:33:47 MST
This archive was generated by hypermail 2.2.0 : Thu Jan 27 2011 - 12:00:03 MST