Hello Rob, mine is a forward proxy, it's used by my clients to go to all websites (except blacklisted by squidguard).
-- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le dimanche 02 juin 2013 à 12:33 -0700, Rob Sheldon a écrit : > On 2013-06-02 2:35, Loïc BLOT wrote: > > Hello rob, > > i'm using squid since 3.1 on OpenBSD 5.2 with compiled sources (squid > > 3.2.5-9 and 3.3.4 at this time). I don't use an IP but the http_port > > 3129 as my configuration suggests: > > > > http_port 3128 > > http_port 3129 intercept > > > > And i have those rule in my PF > > > > pass in quick proto tcp to { 10.X.1.1 10.X.1.2, 10.X.1.3 } port > > { $squid_port $squid_intercept_port http } > > pass in quick inet proto tcp from { <personnel> <captiveportal_auth> } > > to any port { 80 8080 } rdr-to 10.X.1.1 port $squid_intercept_port > > > > And all works perfect :). I haven't tested on 5.3 because the BCM5720 > > which are disabled on 5.2 are enabled and cause problem on my second > > squid server... but i don't think this cause a problem. > > As a forward proxy or a reverse proxy? There's no way a Squid 3.2+ > installation should work with rdr-to, unless: > > - the sources were modified to disable the security check described by > Amos in > http://www.squid-cache.org/mail-archive/squid-users/201208/0374.html; > > - or the destination IP of the requests matches the IP of the requested > web server (reverse proxy, internal web server, or something). > > Amos spelled out the code change in 3.2+ in the mail post above. rdr-to > rewrites the destination IP in the request. If Squid receives a request > for a host (e.g. a get request for / on www.google.com), and the DNS > lookup for the requested host does not match the destination IP of the > request (e.g. the request was rdr-to'd 10.5.1.1), then Squid will refuse > to forward the request to www.google.com. > > I can accept that maybe there's something going on that I still don't > understand that's causing my particular configuration to require the > listening IP in the http_port setting -- although I doubt it, I'm very > very close to the configuration in the official Squid documentation at > this point -- but I understand the rdr-to problem well enough now to > assert that it won't work as intended except in a few specific cases. > > - R. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
