cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6318e9eac4
openbsd-ports/www/squid/pkg/README
ajacoutot 4e6d900ce6 Extend README: 
If the proxy server is running on the same subnet as the clients, the
return traffic from the proxy will go directly back to them without
ever hitting the firewall, which means the states will never get updated
and may fill-up your pflog(4) with blocked attempts. To circumvent this
the "no state" option needs to be specified for the route-to rule.

ok Brad, intput/ok sthen@ (maintainer)
2012-06-20 07:10:39 +00:00

50 lines
2.0 KiB
Plaintext
Raw Blame History

$OpenBSD: README,v 1.6 2012/06/20 07:10:39 ajacoutot Exp $
+-----------------------------------------------------------------------
| Running ${FULLPKGNAME} on OpenBSD
+-----------------------------------------------------------------------
The local (OpenBSD) differences are:
- configuration files are in ${SYSCONFDIR}/squid
- sample configuration files are in ${TRUEPREFIX}/share/examples/squid
- error message files are in ${TRUEPREFIX}/share/squid/errors
- sample error message files are in ${TRUEPREFIX}/share/examples/squid/errors
- icons are in ${TRUEPREFIX}/share/squid/icons
- sample icons are in ${TRUEPREFIX}/share/examples/squid/icons
- the cache is in ${LOCALSTATEDIR}/cache
- logs are stored in ${LOCALSTATEDIR}/logs
- the ugid squid runs as is _squid:_squid
Please remember to initialize the cache by running "squid -z" before
trying to run Squid for the first time.
Transparent Proxying with PF
============================
To configure a transparent proxy, bind to a specific address in
${SYSCONFDIR}/squid/squid.conf, for example:
http_port 127.0.0.1:3127 transparent
On the machine running Squid, add a firewall rule similar to this:
pass in quick log inet proto tcp to port 80 divert-to 127.0.0.1 port 3127
If Squid is running on a machine which doesn't normally handle the
traffic (e.g. if you have a firewall and would like to divert packets
to Squid on another machine) you will also need a rule like this:
pass in quick from 10.77.3.5
pass in quick inet proto tcp to port 80 route-to (vr2 10.77.3.5)
(this example assumes Squid is running on 10.77.3.5 reachable over
the vr2 interface).
If the proxy server is running on the same subnet as the clients, the
return traffic from the proxy will go directly back to them without
ever hitting the firewall, which means the states will never get updated
and may fill-up your pflog(4) with blocked attempts. To circumvent this
the "no state" option needs to be specified for the route-to rule.
e.g.
pass in quick inet proto tcp to port 80 route-to (vr2 10.77.3.5) no state
Reference in New Issue View Git Blame Copy Permalink