Fwd: Re: [squid-users] intercepting traffic

Thu, 03 Dec 2015 04:41:11 -0800

i am looking to setup a transparent intercepting proxy, where i use iptables to DNAT traffic on port 80 and redirect it to HAProxy and in turn load balance to Squid for fulfillment. the DNAT to HAProxy works and the load balance to Squid works, but Squid sees the request without the correct or full request. 

the lovely and helpful Squid folks have said:
Whatever is receiving the packet from DNAT has to also translate the HTTP layer messages from origin relative-URI format to intermediary absolute-URI format.
while i understand what is being said, i don't know how to implement this in HAProxy. Where do i go for more info around how to set this up in HAProxy? Any help is greatly appreciated. 

TIA,

brendan

-------- Forwarded Message --------
Subject:        Re: [squid-users] intercepting traffic
Date:   Fri, 20 Nov 2015 17:12:02 +1300
From:   Amos Jeffries <squ...@treenet.co.nz>
To:     squid-us...@lists.squid-cache.org



On 20/11/2015 1:09 p.m., Brendan Kearney wrote:

when i put in just the DNAT that sends the traffic to the proxy VIP and
load balances the requests to the squid instances on port 3128 (not the
intercept port), i issue a curl command:

curl -vvv --noproxy squid-cache.org http://squid-cache.org/

and get an error page saying:

...
<p>The following error was encountered while trying to retrieve the URL:
<a href="/">/</a></p>


is the DNAT stripping header info, such as the Host header, or am i
still missing something?


HTTP != TCP/IP ... DNAT is only changing the IP:port details.

Whatever is receiving the packet from DNAT has to also translate the
HTTP layer messages from origin relative-URI format to intermediary
absolute-URI format.

That rule-of-thumb "MUST rule" you mentioned earlier is about those two
DNAT and HTTP translation operations being required to be done together
on the same machine. It is not limited to Squid. It could be HAProxy or
some other LB software responsible for doing it.

Squid is just the only software which actually tells you up front about
the issue, instead of leaving other software later on down the transfer
chain (possibly in somebody elses network) to break with errors like you
see above.

Amos

_______________________________________________
squid-users mailing list
squid-us...@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to