httpd_accel_host
virtual
httpd_accel_port
80(or whatever port you want to proxy)
httpd_accel_with_proxy
on
httpd_accel_uses_host_header
on
When using Squid as an HTTP accelerator, configure the host
name and the port you want the proxy to accelerate. This prevents Squid from
being used as an arbitrary HTTP relay. When using Squid in accelerator mode as a
transparent proxy, set the host name to
virtual and the
port to whichever port we want a transparent proxy for.
Intercept and/or redirect the traffic to the chosen port.
Having the proxy on the same machine as the interceptor is preferable. The code
example uses
iptables as the
redirection mechanism, and port 8080 as the proxy's
http_port.
iptables -t nat -A PREROUTING -i
$INTERFACE
-p tcp --dport 80 -j DNAT --to 10.0.3.1:8080
iptables -t nat -A PREROUTING -i
$INTERFACE
-p tcp --dport 80 -j REDIRECT --to-port 8080
In the
squid.conf file,
configure these options:
|
httpd_accel_host
virtual
|
|
httpd_accel_port
80(or whatever port you want to proxy) |
|
httpd_accel_with_proxy
on
|
|
httpd_accel_uses_host_header
on
|
Note that you cannot transparently proxy more than one port at a time. The HTTP headers do not contain port information, so Squid cannot tell which port the request was intended for once the request has been intercepted.
· You can lose the source address of the request if the proxy box isn't also the traffic interceptor. You can correct this by using destination NAT instead of packet redirection, and making sure the proxy routes all traffic back through the intercepting box, including traffic to its clients. (Alternatively, ensure that the proxy is the intercepting box.)
· Some browsers are unable to refresh content through a transparent proxy. The client fails to send cache coherence headers, assuming it's talking to the web server, and assuming there is no proxying or caching agent (including web accelerators) in between. Users of these browsers will have problems and will become IT help desk problems.
There is no known correction for this problem, other than not using these browsers with any sort of proxying or caching agent.
· It is cheaper in CPU cycles and memory to have the browser explicitly configured to use a proxy, than it is to redirect traffic. It is cheaper in CPU cycles and memory to block port 80 than it is to redirect traffic. Blocking has less overhead than redirection, and can force people to use a proxy.
The most common reason to use transparent proxying is to reduce the setup load for web browsers. System administrators need to be aware of the common problems of transparent proxies, and determine whether they are appropriate in their environments. If the end users are using browsers that are known to behave well with transparent proxies, and the machine designated as the proxy is capable of handling the load, a transparent proxy can be an effective solution.
None of these explicitly describe transparent proxying, but they are useful nonetheless.
| http://squid-docs.sourceforge.net/latest/html/book1.htm">Squid, a user's guide |
| Squid configuration manual |
|
$SQUID-HOME/etc/squid.conf
|
| Your firewall manual. |
Jennifer Vesperman likes to think she was born with a silicon wafer attached to her spinal column, but can't get her parents to admit it. She contributes to Open Source, mostly as a user and advocate. Jenn is the current coordinator for Linuxchix.org.