Amos , 
Is it possible to let squid blind to the ds tip and lookup  only  to the domain 
name in the packet ???

Awaiting ur reply 

Thank you 

-----Original Message-----
From: Ahmad Alzaeem [mailto:ahmed.za...@netstream.ps] 
Sent: Sunday, November 22, 2015 9:45 AM
To: 'Amos Jeffries'
Cc: 'squid-users@lists.squid-cache.org'
Subject: RE: [squid-users] squid intercept mode fo http & https

Amos , thank you so much for your kind reply  .

The topology is complex and I cant do it like setting up the gateway to be the 
squid and im forced to work on DNS .

Im just asking is it possible to work on that way with squid ?
Or
Its impossible to have it working ???

I have its werid and not popular , but im forced to do it on that  way .

So  again , can we use like redsocks or any redirector to help me in this issue 
?


If squid can work on that way , do I need to add more directives to let it work 
?

As I mentioned from logs it stuck and lookup for destination ip  ip :
1448121518.847      0 xx.79.120 TCP_MISS/503 4183 GET http://cnn.com/ - 
ORIGINAL_DST/10.159.144.206 text/html
1448121526.056      0 xx.79.120 TCP_MISS/503 399 HEAD http://cnn.com/ - 
ORIGINAL_DST/10.159.144.206 text/html


so if I was understanding well , I guess squid will work on the domain name not 
on the ip and I suppose it to work , but so far I don’t know why !

Thank you amos  again , I appreciate all ur help and the team support help , 
all of you were and still a nice helpers


cheers

-----Original Message-----
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Sunday, November 22, 2015 3:51 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid intercept mode fo http & https

On 22/11/2015 5:56 a.m., Ahmad Alzaeem wrote:
> Thanks fot your reply .
> 
> I know that my DNS is weird .
> 
> But all I need is
> I have access to DNS server , but I don’t have access to pcs to give them 
> ip:port in their browsers .
> 
> So yes , im forced to work on that way .

You should not be. Have a read through
<http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers>. Notice that DNS 
weirdness is not mentioned anywhere, not even as a last-resort method.



> 
> And I want to filter my websites and the only way to go internet is using the 
> proxy .
> 
> So what do you suggest ?

Try the methods listed in that wiki page for WPAD/PAC auto-configuration (aka 
"transparent proxy configuration", notice that is a 3-word phrase).
That will catch a lot of the main-stream browsers.

When that is done set up your routers for *routing* the port 80/443 traffic 
through the Squid machine. With NAT (aka "transparent interception proxy", 
notice that is a different 3-word phrase)

No DNS required in any of that.

> 
> So again , the packet go to squid , but inside this packet the name of 
> websites and ds tip is the proxy ip.

Exactly. That is all Squid is given to work with.

> 
> What settings needed on squid to operate such as get the info from name and 
> skip dst ip ?
> 
>  If u look @ the log files u will understand my idea
> 

We already understand your idea. Others have had it before. The reason it is 
not popular is the extremely complicated nature of the multiple pieces of high 
performance high-uptime hardware required just to keep it from falling over 
and/or hitting the side effects you have seen so far, and many others you have 
not even got close to reaching yet. When things go wrong the clients also need 
an individual reset to clear their internal DNS caches.

Route packets to Squid (no DNS) just like normally routed packets if Squid were 
a border gateway, then NAT or TPROXY intercept into the proxy itself on the 
same machine. FAR more robust.

Amos

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to