Cdrack wrote:
> Tnx for the reply, I will test it. I just have one more question.
>
> My setup is like this. On my proxy server, i have eth0 connected to the
> internet and eth1 connected to the Lan.
>
> My question is, if the request for the website comes from my local Lan and
> the iptables rule is intented to not allow squid to intercept that
> particular website request, how is the web request handlled? How the request
> comming from eth1 will make its way to eth0 ---> website ---> and reply back
> to eth0 and send that back to the user in the eth1 network.?
>
> As i said i have not tested this yet, but i would like to understand a
> little about how this works.
Normally requests go through your routing logic as packets and straight
connections between client and web server. Your control boxes are
concerned only for packet routing.
When you added NAT interception it diverted all their requests to Squid.
So the client is then unknowingly speaking to Squid which must fake
being a web server for it and do a lot of processing to generate a
second connection from Squid to the real server or load stuff from cache
and send the result back to the client in the faked connection through
NAT again in reverse.
These rules are exemptions from the intercept, returning certain
sources/destinations to normal Internet behavior. The requests are
simply following their natural path from client->server and back again.
Amos
>
> Tnx for the help.
>
>
> Amos Jeffries-2 wrote:
>> Cdrack wrote:
>>> Hi Amos,
>>> Could you please explain what should by placed instead of ¨squid¨?
>> -A squid is a local custom chain name in my iptables.
>>
>> It's created by:
>> iptables -t nat -N squid
>> iptables -t nat -A PREROUTING --protocol tcp --dport 80 -j squid
>>
>>
>>> I ran this
>>> iptables -t nat -A squid -j DNAT --to-destination 10.0.0.1:81
>>> But i get this message:
>>> iptables: No chain/target/match by that name
>>>
>>> Seems to me that the ¨-A squid¨ part is what is not working for me.
>>>
>>> I have the exact same problem as the guy that opened this thread.
>>>> If I understand you correctly you want requests sent to a particular
>>>> site
>>>> not even to enter Squid yes?
>>> This is correct for me, i want to allow the browser to retrieve the
>>> website
>>> without passing thru squid.
>>>
>>> Tnx for your prompt reply.
>>>
>>>
>>> Amos Jeffries-2 wrote:
>>>>> Hi Folks,
>>>>>
>>>>> I need a specific site to completely bypass my squid cache due to a
>>>>> broken
>>>>> external webapp.
>>>>>
>>>>> I have read the section "how do I configure Squid not to cache a
>>>>> specific
>>>>> server?" from the wiki, which I can implement with no issues, but what
>>>>> I
>>>>> am not sure is what this will actually do :)
>>>>>
>>>>> Will this allow traffic to pass through squid without caching it, or
>>>>> will
>>>>> this block the site for users?
>>>> The bit that says to configure "cache deny" ?
>>>> Simply prevents storage of the request/reply objects as they go through
>>>> Squid.
>>>>
>>>> If I understand you correctly you want requests sent to a particular
>>>> site
>>>> not even to enter Squid yes? once they enter squid there is no
>>>> bypassing,
>>>> so it must be done at the firewall.
>>>> For such sites I use a custom chain a bit like this to decide of the
>>>> request is intercepted or not (all the lines ending in ACCEPT, are not
>>>> intercepted):
>>>> iptables -t nat -A squid -s 10.0.0.1 -j ACCEPT
>>>> ...
>>>> iptables -t nat -A squid -j DNAT --to-destination 10.0.0.1:81
>>>>
>>>> You want something like:
>>>> iptables -t nat -A squid -d ip-of-website-to-permit -j ACCEPT
>>>> in your list of bypasses.
>>>>
>>>> Amos
>>>>
>>>>
>>>>
>>
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
>> Current Beta Squid 3.1.0.7
>>
>>
>
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.7Received on Sun May 10 2009 - 04:53:59 MDT
This archive was generated by hypermail 2.2.0 : Sun May 10 2009 - 12:00:01 MDT