Re: Transparent Proxy from Henrik Nordstrom on 1998-01-16 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 17 Jan 1998 02:37:57 +0100

joe shmo wrote:

> "this technique has several significant shortcomings!
> 2.Instead it prints raw IP addresses. This is because the destination
> address is determined with the getsockname(2) system call. This means the
> use of a parent or sibling doesn't work correctly anymore. The parent or
> sibling itself logs the URL by name not by IP address. These URLs are
> different so no cache HIT occurs. This means that you lose the benefit of
> reducing traffic in a caching hierarchy if you do transparent caching."

This needs to be updated, and is not true. Transparent proxying should
always
use the Host: header if available. This requires a small patch to the
current
Squid sources (see a earlier message on this list), and the following
options
in squid.conf:
http_accel virtual 80
http_accel_uses_host_header on

> To make things even MORE interesting, my dialup users, my router, and squid
> are all on the same box, not to mention, I'm thinking of putting my web server
> on there too. My "internet feed" comes through via tun0, and my users use
> "slirp" because at one time, I didnt have enough IPs to go around, although
> there are a few users who actually DO get a real IP, the rest are faked
> (same IP as the internet link (tun0)). The machine does have a network card
> in it for the local LAN with another IP that could possibly get bound to
> something..?

If all your users are local on the machine (slirp == local program
running on
the same machine) then you might have a very hard time to set up
transparent
proxying, but I am not a FreeBSD guru so I can't tell. The problem is
that
you need to redirect outgoing port 80 traffic to Squid somehow, and
still let
the Squid process out on port 80.. in most other setups you redirect
traffic
arriving on the inside interface to Squid, possibly combined with a
router
hack if the Squid box can't be a router in the normal traffic path.

To make transparent proxying possible, you need to separate your slirp
server
from the routing.. or build a highly modified slirp with a built in http
proxy
using the local Squid as a parent.

---
Henrik Nordström
Sparetime Squid Hacker

Received on Fri Jan 16 1998 - 17:48:38 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:38:27 MST