Hello rob, i'm using squid since 3.1 on OpenBSD 5.2 with compiled sources (squid 3.2.5-9 and 3.3.4 at this time). I don't use an IP but the http_port 3129 as my configuration suggests:
http_port 3128 http_port 3129 intercept And i have those rule in my PF pass in quick proto tcp to { 10.X.1.1 10.X.1.2, 10.X.1.3 } port { $squid_port $squid_intercept_port http } pass in quick inet proto tcp from { <personnel> <captiveportal_auth> } to any port { 80 8080 } rdr-to 10.X.1.1 port $squid_intercept_port And all works perfect :). I haven't tested on 5.3 because the BCM5720 which are disabled on 5.2 are enabled and cause problem on my second squid server... but i don't think this cause a problem. -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le dimanche 02 juin 2013 à 02:17 -0700, Rob Sheldon a écrit : > Sorry for the noise. > > OpenBSD 5.3 introduced Squid 3.2, which now checks the destination IP > of inbound packets against the Host: header in interception mode. This > breaks rdr-to, which makes nearly every howto online incorrect (joy). > There was a minor error in the Squid docs which confused me (http_port > must have IP-of-interface-to-listen on:port, e.g., "http_port > 127.0.0.1:3129 intercept", instead of just "http_port 3129 intercept" as > in the current docs), which caused the connection refused errors, which > I stupidly misinterpreted. > > FWIW, the Squid docs link to > http://www.openbsd.org/cgi-bin/cvsweb/ports/www/squid/pkg/README-main?rev=1.1 ;content-type=text%2Fplain, > which have "http_port 127.0.0.1:3129 transparent" as the example, but > as of Squid 3.1, "transparent" was deprecated in favor of "intercept": > http://www.squid-cache.org/Doc/config/http_port/ > > - R. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]