Re: [squid-users] Re: Three questions about Squid configuration

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 16 Jul 2014 23:31:42 +1200

On 16/07/2014 9:23 a.m., Nicolás wrote:
> Thanks! That would indeed cover the first issue :-) I initially used
> redirect because somewhere I read that it's not a good idea forwarding
> the traffic directly to the port where squid listens and it should be
> pointed to another port instead and then redirected.

Sounds like you read one of my explanations and did not quite get it.
Hope this helps clarfy:

That is all true regarding *intercepted* port 80 traffic. The traffic
which is actually destined to a webserver directly.

For traffic such as your testing with (CONNECT etc) on non-80 ports the
traffic is destined to a proxy. So the NAT IP addressing does not matter
and the security checks on the interception do more harm than good.

This is why you should keep the ports separate. Because the traffic on
port 80 and the traffic destined to a proxy are quite different beasts.

> However, working as
> this, it would be enough to set a firewall policy to permit just the
> client range of IPs. Let's see whether I can solve the second issue too...
>

Yes, if I am understanding you that firewall policy should be needed
regardless of whether you are dealing with explicitly configured clients
or intercepting the port 80 traffic.

Amos
Received on Wed Jul 16 2014 - 11:31:58 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 16 2014 - 12:00:18 MDT