Re: Transparent Proxy

On Fri, 16 Oct 1998, Irfan Akber wrote:

> >
> > My dial-up users all use 3Com and Livingston Network Access Devices,
> which
> > have the ability to specify a default gateway. Am I correct in my
> > assumption that I would simply need to change the default gateway to
> > specify my Squid server?
>
> No. Is the machine running Squid has both Interface for both the subnets in
> order to be able to route between the two. If it is then that machine would
> be the default gateway. But still you require a machanism to redirect web
> trafic to the proxy server. That can be done using the Cisco Router. I dont

If the traffic is being routed by the machine running squid then you don't
need a mechanism to redirect the traffic. This is done my ip-filter before
the traffic gets passed on to the router. So essentially if you can turn
the squid box into an intermediate router then then you don't need the
cisco to do policy routing.

> know how because I have not worked on Cisco, but the lines are there in the
> FAQ. In order to do transparent proxy the web traffic has to be diverted to
> the proxy port of your squid. simpily redirecting would not acieve
> anything.

The following ip-filter rule on the squid box (acting as a router) does
exactly that.

rdr de0 0.0.0.0/0 port 80 -> 127.0.0.1 port 8080 tcp

> > If the above assumption is correct, this would mean all of my dial-up
> > user's packets would be flowing through my FreeBSD Box, correct?
>
> Yes if it has both interfaces and is setup to do IP forwarding. But that
> would not serve the purpose.

I disagree.

> > # Redirect direct web traffic to local web server.
> > rdr de0 1.2.3.4/32 port 80 -> 127.0.0.1 port 80 tcp
>
> This is if you have web server runnning on the local machine which is doing
> IP forwarding and is a gateway between different nets.
>
> > # Redirect everything else to squid on port 8080
> > rdr de0 0.0.0.0/0 port 80 -> 127.0.0.1 port 8080 tcp
> > </FAQ>
>
> These line forward the web traffic to the local machine which is also
> running squid. Obviously you setup is different as you are running squid on
> a seperate machine. I wonder why the writer thinks every service is running
> on the same machine which is working as a router for different subnets. One

The rules are intended to allow a web server to be run on the squid
machine for whatever reason. How the packets get to the squid machine is
up to the reader to determine. Nothing in the FAQ says the machine HAS to
be a gateway, and in fact the rules were taken from my caches which
receive policy routed traffic.

> single machine just cant take such a load e.g 100 users on one net.
> squid if their browser's are configured).

That would all depend on how they were spec'ed

If you have too much work being done by one machine then you add another.
A simple solution would be to have half your access servers default route
to one cache, and the other half point to a second.

> > Those lines above make little sense to me. What would be the
> > configuration to only proxy port 80, and redirect everything else to my
> > Cisco Router?
>
> As explained earlier, the gateway between two or more nets will forward all
> the traffic by default to the router only the web will redirected by the
> router. In fact you dont even need a FreBSD router if you are implementing
> this on the router. Tell me if you find a software solution.

I thought this was supposed to be an all software solution?

Seeya...Q

               -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                        
                          _____ / Quinton Dolan - q@fan.net.au
  __ __/ / / __/ / / Systems Administrator
     / __ / _/ / / Fast Access Network
  __/ __/ __/ ____/ / - / Gold Coast, QLD, Australia
                    _______ / Ph: +61 7 5574 1050
                           \_\ SAGE-AU Member
Received on Fri Oct 16 1998 - 20:12:23 MDT