This problem *seems* to be adressed in the FAQ, but (I
think) isn't really:
I am running squid-2.3.STABLE1-5 as a transparent
proxy on a Red Hat 6.2 system with kernel 2.4-test7.
The machine is acting as a gateway for a number of hosts
(with a number of "improvements", see below). Transparency
for the cache is acheived with iptables and a REDIRECT rule
from port 80 to 3128.
The problem: I cannot access a number of sites through
squid. These are mostly large sites that manage user
sessions, such as: amazon.com, hotmail.com [I read the FAQ,
bear with me], etrade.com, zdnet.com. Specifically, I get a
"Connection refused (111)" error on the client, and indeed
subsequent attempts to connect to the server's port 80/tcp
(with, say, netcat or telnet) fail. It's as if the remote
site suspect an intrusion and deny my proxy's IP access.
Now, as I said, I read the FAQ (11.16, about Hotmail being
"proxy-unfriendly" and requiring "all requests to come from
the same IP address"), and tried adding a hierarchy_stoplist
directive in squid.conf. No luck there.
What bugs me is this: if this is a transparent proxy, *how
does Hotmail know* the HTTP requests are coming from different
IPs? Aren't *all* HTTP connections that go through a
transparent proxy rewritten by the NAT rule to look as if they
were coming through the NAT'ing gateway?
Any ideas? Your help would be much appreciated!
(I am currently working around this by injecting rules in my
NAT table to bypass the redirection for these sites. This works,
but is very ugly IMHO!)
Gaal
PS: this gateway is also running a chacheing nameserver for
hosts on its network, plus (this is the "interesting" bit)
has uplinks to two different ISPs, which it balances load to
with the multipath (= non-deterministic) default route feature
from the recent Linux kernels. I don't know if the following is
the fault of iproute2, of iptables, or of squid, but occasionally
I get kernel messages of this form:
NAT: 0 dropping untracked packet c7e12480 1 <some-ip> -> <some-ip>
Any ideas why this happens, and whether I should be worried?
This happens at varying frequency from once a minute to once
in two hours (one packet). Of course if I stop the Squid daemon
while the redirection rule is in effect I get loads of these,
but why do I get them when Squid is up?
Thanks again,
Gaal
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Tue Sep 12 2000 - 07:02:08 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:15 MST