Amos , Is it possible to let squid blind to the ds tip and lookup only to the domain name in the packet ???
Awaiting ur reply Thank you -----Original Message----- From: Ahmad Alzaeem [mailto:ahmed.za...@netstream.ps] Sent: Sunday, November 22, 2015 9:45 AM To: 'Amos Jeffries' Cc: 'squid-users@lists.squid-cache.org' Subject: RE: [squid-users] squid intercept mode fo http & https Amos , thank you so much for your kind reply . The topology is complex and I cant do it like setting up the gateway to be the squid and im forced to work on DNS . Im just asking is it possible to work on that way with squid ? Or Its impossible to have it working ??? I have its werid and not popular , but im forced to do it on that way . So again , can we use like redsocks or any redirector to help me in this issue ? If squid can work on that way , do I need to add more directives to let it work ? As I mentioned from logs it stuck and lookup for destination ip ip : 1448121518.847 0 xx.79.120 TCP_MISS/503 4183 GET http://cnn.com/ - ORIGINAL_DST/10.159.144.206 text/html 1448121526.056 0 xx.79.120 TCP_MISS/503 399 HEAD http://cnn.com/ - ORIGINAL_DST/10.159.144.206 text/html so if I was understanding well , I guess squid will work on the domain name not on the ip and I suppose it to work , but so far I don’t know why ! Thank you amos again , I appreciate all ur help and the team support help , all of you were and still a nice helpers cheers -----Original Message----- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Amos Jeffries Sent: Sunday, November 22, 2015 3:51 AM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] squid intercept mode fo http & https On 22/11/2015 5:56 a.m., Ahmad Alzaeem wrote: > Thanks fot your reply . > > I know that my DNS is weird . > > But all I need is > I have access to DNS server , but I don’t have access to pcs to give them > ip:port in their browsers . > > So yes , im forced to work on that way . You should not be. Have a read through <http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers>. Notice that DNS weirdness is not mentioned anywhere, not even as a last-resort method. > > And I want to filter my websites and the only way to go internet is using the > proxy . > > So what do you suggest ? Try the methods listed in that wiki page for WPAD/PAC auto-configuration (aka "transparent proxy configuration", notice that is a 3-word phrase). That will catch a lot of the main-stream browsers. When that is done set up your routers for *routing* the port 80/443 traffic through the Squid machine. With NAT (aka "transparent interception proxy", notice that is a different 3-word phrase) No DNS required in any of that. > > So again , the packet go to squid , but inside this packet the name of > websites and ds tip is the proxy ip. Exactly. That is all Squid is given to work with. > > What settings needed on squid to operate such as get the info from name and > skip dst ip ? > > If u look @ the log files u will understand my idea > We already understand your idea. Others have had it before. The reason it is not popular is the extremely complicated nature of the multiple pieces of high performance high-uptime hardware required just to keep it from falling over and/or hitting the side effects you have seen so far, and many others you have not even got close to reaching yet. When things go wrong the clients also need an individual reset to clear their internal DNS caches. Route packets to Squid (no DNS) just like normally routed packets if Squid were a border gateway, then NAT or TPROXY intercept into the proxy itself on the same machine. FAR more robust. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users