On Thu, 03 Dec 2015 07:40:03 -0500 Brendan Kearney <[email protected]> wrote:
> i am looking to setup a transparent intercepting proxy, where i use > iptables to DNAT traffic on port 80 and redirect it to HAProxy and in > turn load balance to Squid for fulfillment. the DNAT to HAProxy works > and the load balance to Squid works, but Squid sees the request without > the correct or full request. > > the lovely and helpful Squid folks have said: > > Whatever is receiving the packet from DNAT has to also translate the > HTTP layer messages from origin relative-URI format to intermediary > absolute-URI format. > > while i understand what is being said, i don't know how to implement > this in HAProxy. Where do i go for more info around how to set this up > in HAProxy? Any help is greatly appreciated. The content of a proxy request is like this: GET http://www.google.com/my-search HTTP/1.1 headers: ... The content of an http request without proxy is like this: GET /my-search HTTP/1.1 Host: www.google.com headers: ... Squid expects the first form, but when is its used as transparent proxy, it accept the second form (maybe it is a good idea to confirm this information). Maybe you must configure squid as transparent proxy, even if its only one client is HAProxy. Thierry > TIA, > > brendan > > -------- Forwarded Message -------- > Subject: Re: [squid-users] intercepting traffic > Date: Fri, 20 Nov 2015 17:12:02 +1300 > From: Amos Jeffries <[email protected]> > To: [email protected] > > > > On 20/11/2015 1:09 p.m., Brendan Kearney wrote: > > when i put in just the DNAT that sends the traffic to the proxy VIP and > > load balances the requests to the squid instances on port 3128 (not the > > intercept port), i issue a curl command: > > > > curl -vvv --noproxy squid-cache.org http://squid-cache.org/ > > > > and get an error page saying: > > > > ... > > <p>The following error was encountered while trying to retrieve the URL: > > <a href="/">/</a></p> > > > > > > is the DNAT stripping header info, such as the Host header, or am i > > still missing something? > > HTTP != TCP/IP ... DNAT is only changing the IP:port details. > > Whatever is receiving the packet from DNAT has to also translate the > HTTP layer messages from origin relative-URI format to intermediary > absolute-URI format. > > That rule-of-thumb "MUST rule" you mentioned earlier is about those two > DNAT and HTTP translation operations being required to be done together > on the same machine. It is not limited to Squid. It could be HAProxy or > some other LB software responsible for doing it. > > Squid is just the only software which actually tells you up front about > the issue, instead of leaving other software later on down the transfer > chain (possibly in somebody elses network) to break with errors like you > see above. > > Amos > > _______________________________________________ > squid-users mailing list > [email protected] > http://lists.squid-cache.org/listinfo/squid-users > > >
