Re: [squid-users] always_direct

From: Edward <edward@dont-contact.us>
Date: Thu, 28 Jun 2001 09:04:57 -0400

I will just let it pass through.

> > Or I will have to let his ip through out router since we doing
transparent
> > proxying?
>
> I don't fully understand this (too little info). Probably yes. At least
> you need to change the config of the redirector, whatever it is (router,
> firewall, ..., os of the squid host). If you have problems with that, ask
> someone knowing about the redirector (router, firewall, os of the squid
> host, ...) not the *squid* users list.

----- Original Message -----
From: "Dr. Michael Weller" <eowmob@exp-math.uni-essen.de>
To: "Edward" <edward@cariaccess.com>
Cc: "squid" <squid-users@squid-cache.org>
Sent: Thursday, June 28, 2001 8:55 AM
Subject: Re: [squid-users] always_direct

> On Thu, 28 Jun 2001, Edward wrote:
>
> > Ok.
> >
> > Let me see it I fully understand this param.
> >
> > Using always_direct will direct the customer straight to that site
without
> > squid proxying his connection. There by, he will be able to logged into
a
> > site running a firewall that is only looking for his address?
>
> No, you didn't sorry. Once squid deals with the connection (that means
> it receives the data from the client) it is too late for that.
>
> Squid already received the data. It could pass a 1-1 copy of them on, but
> then the squid machine would be the origin of the request (which won't
> work for you) and it would break certain protocol specs and what else.
>
> always_direct or never_direct control if *squid* will deal with the
> final destination site (direct) or may ask other caches/upstream proxies.
>
> Once the browser has opened a connection to squid you can't have squid
> automagically undo the connection and have the browser go direct without
> telling it.
>
> There are two solutions for you:
>
> a) You don't do or have to do transparent proxying. Then configure the
> browsers not to use the proxy for certain destination addresses.
>
> b) You insist on transparent proxying. Then you need to have a certain
> module, filter, firewall package etc. for your actual OS which is
> actually intercepting all outgoing http connections and forces them
> into the squid process. Squid can't do that itself, it is only
> able to unterstand the protocol of these connections although it
> differs from the http proxy protocol. You can also not intercept
> native FTP protocol downloads this way. The actual IP redirection
> is very OS specific and not http related and thus far beyond squids
> scope.
>
> This other, external, non-squid module, you need to configure
> NOT TO redirect certain source<->destination combinations of the
> http traffic.
>
> > Or I will have to let his ip through out router since we doing
transparent
> > proxying?
>
> I don't fully understand this (too little info). Probably yes. At least
> you need to change the config of the redirector, whatever it is (router,
> firewall, ..., os of the squid host). If you have problems with that, ask
> someone knowing about the redirector (router, firewall, os of the squid
> host, ...) not the *squid* users list.
>
> Michael.
>
> --
>
> Michael Weller: eowmob@exp-math.uni-essen.de,
eowmob@ms.exp-math.uni-essen.de,
> or even mat42b@spi.power.uni-essen.de. If you encounter an eowmob account
on
> any machine in the net, it's very likely it's me.
>
>
Received on Thu Jun 28 2001 - 07:02:28 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:52 MST