G'day,
I'm curious about a change to the transparent/interception behaviour
between Squid versions 2.7 and 3.1.
I'm using a iptables NAT redirect to send all tcp traffic with dst
port 80 on the FORWARD chain to port 60080 and in my squid.conf I have
"http_port 60080 transparent" for Squid 2.7
"http_port 60080 intercept" for Squid 3.1
I also have the following ACL
"acl intercepted myport 60080"
Squid is running on 192.168.0.112 and a box with 192.168.0.112 as its
gateway is trying to access 64.191.203.30:80.
On Squid 2.7 the "intercepted" acl matches whilst in 3.1 it doesn't.
Digging deeper into the Squid 3.1 source it seems that if a http_port
is set to intercept then the "me" member of ConnStateData, which is
normally the proxy's ip and listening port, is replaced by the pre-NAT
destination ip and port.
client_side.cc: 2959
if (port->intercepted || port->spoof_client_ip) {
IpAddress client, dst;
if (IpInterceptor.NatLookup(fd, me, peer, client, dst) == 0) {
result->me = client;
result->peer = dst;
result->transparent(true);
}
}
Thus it seems, for the scenario above, in the Squid 2.7 case
myport = 60080, myip = 192.168.0.112
yet in the 3.1 case
myport = 80, myip = 64.191.203.30
Is this the desired behaviour, and if so, why did this change
somewhere between 2.7 and 3.1?
Cheers,
James Brotchie
