zmli@cernet.edu.cn (Carl Li) wrote in
<003101c04eb9$9db6c0d0$240470ca@zimu>:
>Is there anyone can help me? Can Squid forward client's request with
>client's original IP ?
You should *not* need any special transparency in your case: simply put a
classical non-transparent squid hierarchy. All you need (and I guess it
is already the case) is that your clients need to be on a public
(non-RFC1918) IP class in order to access the database you want to
connect to.
If the administrators/webmasters maintaining the remote database are
proxy-aware, they should know that the IP address of a remote host
passing through a proxy could be determined using the
"HTTP_X_FORWARDED_FOR" header in the proxy's request (until this proxy has
some anonymizer capabilities enabled, of course), even though this is true
that this header could easily be forged by the client. Let's have a look
at http://advanced-ip.crt1.net/ to see a (very basic) example of a page
(actually, a frame) handling the proxy-specific headers.
However, if the administrators/webmasters of the remote database do
refuse to handle those headers, you always have a very simple solution to
your problem: just use an Netscape proxy autoconfiguration script
(proxy.pac) to configure your clients. This kind of script works both
with IE and Netscape, and, with IE, you can even use the MS-WPAD (Windows
Proxy Auto Detection).
See:
proxy.pac seen by Netscape:
http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html
proxy.pac seen by Microsoft:
http://www.microsoft.com/technet/index/default.asp?url=/TechNet/IE/reskit/ie5/part5/ch21auto.asp
WPAD:
http://www.microsoft.com/technet/index/default.asp?url=/TechNet/IE/reskit/ie5/part3/ch13sser.asp
Again a well-designed proxy.pac script works with both Netscape's and
Microsoft's browsers.
I have tested proxy.pac (+ WPAD) on the following configurations:
Browsers: IE {5, 5.5, probably 4} for WPAD, Netscape Communicator >= 4
(I use it on Windows {95, 98, NT4, 2k},
IRIX 6.2, FreeBSD, Linux, HP-UX 10.20)
Proxy/cache: Squid (of course !!) on FreeBSD, Linux
Web server (hosting the proxy.pac file): Apache 1.3.12 on FreeBSD
DNS server (for MS-WPAD): Bind 8.2.2 on FreeBSD, Linux
DHCP server (for MS-WPAD): ISC DHCPD on FreeBSD
The following (huge!) proxy.pac should work for you (not tested!):
function FindProxyForURL(url, host)
{
if (isPlainHostName(host)
|| dnsDomainIs(host, ".intranet.mydomain.cn")
|| localHostOrDomainIs(host, "dbserver.thedatabase.com"))
return "DIRECT";
else if (shExpMatch(host, "*.cn"))
return "PROXY national.squidfarm.mydomain.cn:3128; " +
"PROXY backup.squidfarm.mydomain.cn:3128";
else if (shExpMatch(host, "*.com")
|| shExpMatch(host, "*.org")
|| shExpMatch(host, "*.net")
|| shExpMatch(host, "*.int"))
return "PROXY intl.squidfarm.mydomain.cn:3128; " +
"PROXY backup.squidfarm.mydomain.cn:3128";
else if (shExpMatch(host, "*.edu")
|| shExpMatch(host, "*.gov")
|| shExpMatch(host, "*.mil")
|| shExpMatch(host, "*.us"))
return "PROXY usa.squidfarm.mydomain.cn:3128; " +
"PROXY backup.squidfarm.mydomain.cn:3128";
else
return "PROXY world.squidfarm.mydomain.cn:3128; " +
"PROXY backup.squidfarm.mydomain.cn:3128";
}
Don't forget to
AddType application/x-ns-proxy-autoconfig .pac
on the webserver hosting this file.
You only need to tell your users to set their browser's
autoconfiguration
script (I always manage to use "http://proxy/proxy.pac" everywhere).
If *not* using your squid proxies when accessing other websites is an
issue for you (in other words, if you don't want your users being able to
disable the use of your proxies) all you need is to deny outgoing HTTP
connections to hosts other than the remote database for your clients on
your routers/ firewalls.
-- Sébastien Lugan -- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Wed Nov 15 2000 - 10:32:04 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:23 MST