On 2013-06-02 2:35, Loïc BLOT wrote:
Hello rob, i'm using squid since 3.1 on OpenBSD 5.2 with compiled sources (squid 3.2.5-9 and 3.3.4 at this time). I don't use an IP but the http_port 3129 as my configuration suggests:http_port 3128 http_port 3129 intercept And i have those rule in my PF pass in quick proto tcp to { 10.X.1.1 10.X.1.2, 10.X.1.3 } port { $squid_port $squid_intercept_port http } pass in quick inet proto tcp from { <personnel> <captiveportal_auth> } to any port { 80 8080 } rdr-to 10.X.1.1 port $squid_intercept_port And all works perfect :). I haven't tested on 5.3 because the BCM5720 which are disabled on 5.2 are enabled and cause problem on my second squid server... but i don't think this cause a problem.
As a forward proxy or a reverse proxy? There's no way a Squid 3.2+ installation should work with rdr-to, unless:
- the sources were modified to disable the security check described by Amos in http://www.squid-cache.org/mail-archive/squid-users/201208/0374.html;
- or the destination IP of the requests matches the IP of the requested web server (reverse proxy, internal web server, or something).
Amos spelled out the code change in 3.2+ in the mail post above. rdr-to rewrites the destination IP in the request. If Squid receives a request for a host (e.g. a get request for / on www.google.com), and the DNS lookup for the requested host does not match the destination IP of the request (e.g. the request was rdr-to'd 10.5.1.1), then Squid will refuse to forward the request to www.google.com.
I can accept that maybe there's something going on that I still don't understand that's causing my particular configuration to require the listening IP in the http_port setting -- although I doubt it, I'm very very close to the configuration in the official Squid documentation at this point -- but I understand the rdr-to problem well enough now to assert that it won't work as intended except in a few specific cases.
- R. -- [__ Robert Sheldon [__ No Problem [__ Information technology support and services [__ (530) 575-0278
