use tcp_outgoing_address based on incoming port connection

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

use tcp_outgoing_address based on incoming port connection

xpro6000
I have the following configuration that makes incoming connections
coming to port 8000 to use the another proxy, in this case proxy8000

http_port 8000 name=port_8000
acl port_8000_acl myportname port_8000
always_direct deny port_8000_acl
never_direct allow port_8000_acl
cache_peer 11.12.12.12 parent 20006 0 no-query default name=proxy8000
cache_peer_access proxy8000 allow port_8000_acl
cache_peer_access proxy8000 deny all

But I want to modify it so I can tell it which local interface to use
based on the incoming port. Right now I'm using the following in another
Squid configuration, but it's not based on incoming port. It does it for
all connections

tcp_outgoing_address 172.16.11.106 # <-- that's my local ip

Does tcp_outgoing_address have the same ability as cache_peer in my case?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: use tcp_outgoing_address based on incoming port connection

Amos Jeffries
Administrator
On 23/04/18 12:45, xpro wrote:
> I have the following configuration that makes incoming connections
> coming to port 8000 to use the another proxy, in this case proxy8000
>
> http_port 8000 name=port_8000
> acl port_8000_acl myportname port_8000
> always_direct deny port_8000_acl

"don't always do" ... aka sometimes do, sometimes dont DNS lookup.

> never_direct allow port_8000_acl

"never do" DNS lookup.

No need for both requirements. Just use never_direct to forbid DNS being
used for that traffic.


> cache_peer 11.12.12.12 parent 20006 0 no-query default name=proxy8000
> cache_peer_access proxy8000 allow port_8000_acl
> cache_peer_access proxy8000 deny all
>
> But I want to modify it so I can tell it which local interface to use
> based on the incoming port. Right now I'm using the following in another
> Squid configuration, but it's not based on incoming port. It does it for
> all connections

You cannot do that. Squid is HTTP layer where you can, at most, request
from the OS that it assign a given IP address to the outgoing traffic.


>
> tcp_outgoing_address 172.16.11.106 # <-- that's my local ip
>
> Does tcp_outgoing_address have the same ability as cache_peer in my case?

Neither directive has the ability you are requesting.

* cache_peer determines the dst-IP for the outgoing TCP connections. If
the specific server is not available the TCP connection  will fail
(because you have never_direct).


* tcp_outgoing_ip requests a specific src-IP for the outgoing TCP
connections. If that IP is not already assigned to the machine it is
invalid and connection will be rejected.


The OS routing setup decides;
 a) whether the src-IP is valid, and
 b) whether the dst-IP is routable, and
 c) which NIC the packets with those values goes out.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: use tcp_outgoing_address based on incoming port connection

Amos Jeffries
Administrator
On 24/04/18 03:45, Arya F wrote:
> You cannot do that. Squid is HTTP layer where you can, at most, request
> from the OS that it assign a given IP address to the outgoing traffic
>
> Can you tell me how that can be done? I'm ok with using the IP address
> of the interface
>

Either, by configuring the IP address in tcp_outgoing_address as you
wrote in your first mail. The OS *may* use the interface associated with
that IP, unless the dst-IP routing requires a different one.

OR, by doing nothing in squid.conf and letting the OS select the IP it
already knows to use on the routes to wherever the dst-IP is going.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users