Hello rob,
i'm using squid since 3.1 on OpenBSD 5.2 with compiled sources (squid
3.2.5-9 and 3.3.4 at this time). I don't use an IP but the http_port
3129 as my configuration suggests:
http_port 3128
http_port 3129 intercept
And i have those rule in my PF
pass in quick proto tcp to { 10.X.1.1 10.X.1.2, 10.X.1.3 } port
{ $squid_port $squid_intercept_port http }
pass in quick inet proto tcp from { <personnel> <captiveportal_auth> }
to any port { 80 8080 } rdr-to 10.X.1.1 port $squid_intercept_port
And all works perfect :). I haven't tested on 5.3 because the BCM5720
which are disabled on 5.2 are enabled and cause problem on my second
squid server... but i don't think this cause a problem.
--
Best regards,
Loïc BLOT,
UNIX systems, security and network expert
http://www.unix-experience.fr
Le dimanche 02 juin 2013 à 02:17 -0700, Rob Sheldon a écrit :
> Sorry for the noise.
>
> OpenBSD 5.3 introduced Squid 3.2, which now checks the destination IP
> of inbound packets against the Host: header in interception mode. This
> breaks rdr-to, which makes nearly every howto online incorrect (joy).
> There was a minor error in the Squid docs which confused me (http_port
> must have IP-of-interface-to-listen on:port, e.g., "http_port
> 127.0.0.1:3129 intercept", instead of just "http_port 3129 intercept" as
> in the current docs), which caused the connection refused errors, which
> I stupidly misinterpreted.
>
> FWIW, the Squid docs link to
>
http://www.openbsd.org/cgi-bin/cvsweb/ports/www/squid/pkg/README-main?rev=1.1
;content-type=text%2Fplain,
> which have "http_port 127.0.0.1:3129 transparent" as the example, but
> as of Squid 3.1, "transparent" was deprecated in favor of "intercept":
> http://www.squid-cache.org/Doc/config/http_port/
>
> - R.
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
