Hi Amos,
Thanks for the reply.
My Squid is 3.1.19. I am trying to use OpenFlow to automate the
deployment of Squid in my organization. When the OpenFlow controller
sees a new HTTP packet, it modifies it's destination IP and port to
that of Squid and sends it back. Thus, I expected I will not need
iptable rules here.
I am a bit confused about how Squid does DNAT. Can you point me to
some document?
Thanks
On Wed, Jul 25, 2012 at 8:11 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 26.07.2012 13:54, Abhishek Chanda wrote:
>>
>> Hi all,
>>
>> I observed two more things:
>> 1. I ran wireshark on the Squid box and observed that the client is
>> looking for a service called ndl-aas on port 3128. But no such service
>> is running on the system.
>
>
> Normal if your /etc/services is listing the IANA registrations instead of
> the SANS registrations.
>
> You can change the port 3128 entry in that file to "http-proxy" to make it
> show Squid clearer.
>
>
>> 2. netstat shows that Squid listens on IPV6 addresses (shows tcp6 for
>> port 3128).
>>
>> Are these normal and expected?
>
>
> Normal for IPv6-enabled Squid.
>
>
>>
>> Thanks
>>
>>
>> On Wed, Jul 25, 2012 at 5:26 PM, Abhishek Chanda wrote:
>>>
>>> Hi all,
>>>
>>>
>>> I am trying to setup a topology like the one shown below where Squid
>>> will be a transparent proxy. I have a restriction so that I cannot use
>>> iptables to redirect traffic to Squid. So, there is a daemon in Box
>>> that captures http traffic from Client and re-writes its Destination
>>> IP to point to Squid and destination port to 3128. All boxes can
>>> access each other. The problem is, I ran tcpdump on all boxes and I do
>>> see traffic arriving at Squid, but Squid does not register a MISS or
>>> HIT. The actual data still comes from Apache. Do I need to re-write
>>> any HTTP header or some other configuration for this?
>>>
>>> Client ------- Box ------- Squid --------- Apache
>>>
>>> Thanks
>
>
> Squid version?
>
> Squid requires some way to determine that the mapping has taken place, and
> to identify what the original details were.
> The standard NAT functionality on your box usually provides this for DNAT
> via socket options.
>
> Question is why you can't use the built-in software?
>
> Amos
>
Received on Thu Jul 26 2012 - 04:50:19 MDT
This archive was generated by hypermail 2.2.0 : Thu Jul 26 2012 - 12:00:02 MDT