As robert said doing this would involve a bit of black magic. What you
are basically requesting is transparent intercepting proxying in
reverse. The proxy server needs to spoof the client IP address on
requests it sends, and your network needs to know about this spoofing.
Effectively, your proxy server must run as the single router for all
your network for traffic on any ports that might have been proxied, or
else total chaos would arise.
However, this kind of spoofing requires certain support from the
operating system kernel to make it at all possible. Squid is just an
application that uses the TCP/IP layer of your OS, and as far as we know
there is no usable support for the requested kind of spoofing in any of
the current operating systems Squid runs on. Before there is support in
at least one operating system for performing actions like this there is
very little we can do in Squid.
In Linux-2.2 there almost was support for this kind of spoofing, but it
required some patching of the kernel to give Squid permission to use the
feature. This was lost in the refactoring of the packet filtering/nat
capabilities in Linux-2.4. From what it looks Linux-2.6 might get the
needed capabilities again (see the netfilter-devel archives) but the
details on how it will work and how applications are to make use of it
is still a bit uncertain.
In your specific case I would seriously recommend you to ask Symantec to
extend their logging capabilities to include the X-Forwarded-For header
added by Squid, but you could also use the logs produced by Squid to get
the correct information.
Regards
Henrik
"Boster, Dave" wrote:
>
> I am in search of a solution for placing a caching server between clients
> and an Internet Filter (Symantec Web Security). The problem that I
> currently have is that the Internet Filter sees all requests as coming from
> the caching server, rather than from the actual client. A thought I had was
> to possibly add information to the packet forwarded from the proxy server.
> The information would be the IP address of the client.
>
> While I didn't see this capability in the current release of squid, I was
> wondering if you had any pointers on helping me start a project to do
> something like this with the squid server. Any help would be greatly
> appreciated.
>
> Thanks,
>
> David Boster
> Network & Systems Engineer
>
> IMS - Technical Support
> Omaha Public Schools
> 3215 Cuming Street
> Omaha, NE 68164
>
> Ph: (402) 557-2020
> Fx: (402) 557-2029
> Em: dboster@ops.org
Received on Tue Sep 10 2002 - 01:30:59 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:16:31 MST