Squid Interception Proxying Troubles

Thu Nov 2 07:50:50 MST 2006

On 11/1/06, JT Moree <moreejt at pcxperience.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I guess I don't understand why you are tunnelling traffic between boxes.
>

I am tunneling traffic between the Squid box and the router, because
that's what Squid's FAQ on the matter indicates one should do
(http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-a7fed84c39e23407b93737da0815d1e6ed926a4f).
 It's also what every HowTo has indicated should be done.  However, as
I stated before, I also tried forwarding traffic directly through the
Squid box, with no tunnel, and got the same result.

> Is that to make it easier when you start to load balance?  Are you going
> to set the tunnels so that the router uses them all.  Although I think
> you could do this with standard iproute2 commands and no tunnel.
>

There are a number of advantages to using WCCP for transparent proxying.

> I think the way we setup transparent proxy was
> - -Assume squid is on proxy at port 8080
> - -Firewall allows all port 80 traffic from proxy
> - -firewall re-routes all port 80 packets from other (not proxy) machines
> to port 8080 on proxy machine
> - -proxy gets all traffic at port 8080 and handles proxying for all non
> configured browsers
> - -port 80 on proxy is still available for running real http services on
> proxy
>
> Another page I found that might be helpful but it's fairly old:
> http://www.squid-cache.org/Doc/FAQ/FAQ-17.html
>

As I said, I have the machine setup as per Squid's FAQ.  I have
verified that Squid has been compiled with the requisite flags, and
the appropriate entries have been made in the squid.conf file.

> Keep in mind that transparent proxies are neat but your bandwitdth can
> go up trememdously because traffic is now being rerouted all over.  It
> is best to configure the browsers to use proxies.  I'm guessing you've
> already considered this.
>

I am well aware of the implications of using a transparent proxy
versus configuring all the browsers to use a proxy.

> There is an automatic proxy feature in most browsers where you put some
> javascript code on a web page and it tells the browser what to do to
> proxy.  This page details security and setup details
> http://homepages.tesco.net/J.deBoynePollard/FGA/web-browser-auto-proxy-configuration.html
>

I believe you are referring to WPAD (Web Proxy Autodiscovery
Protocol).  A brief explanation can be found at
http://en.wikipedia.org/wiki/WPAD.  I am familiar with it.  In fact, I
had it configured at the district, but was directed to remove it.  It
has been decided, by people who get paid more than me, that we will
use interception caching to filter our outbound HTTP traffic.  I am
aware of the arguments against such an arrangement and have already
forwarded them.  As it stands, interception proxying is what the
district wants to do.  That being the case, I'm still stuck on why it
is that I am getting traffic to my Squid box, but the machine is not
doing anything with the traffic.

As always, I thank you for taking the time to consider my situation.
-Erik