Re: [squid-users] packet level accounting & connection pinning from Henrik Nordstrom on 2003-07-13 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 13 Jul 2003 13:31:36 +0200

On Sunday 13 July 2003 11.11, lartc@manchotnetworks.net wrote:

> i'm in the process of attempting to do packet level accounting for
> users behind a squid proxy. in a few simple tests, i came to the
> conclusion that access.log does not log the actual tcp/ip header as
> part of the byte count, nor does it account for the syn, syn-ack,
> ack packets when squid requests a page from an http server.

Correct. Squid is an TCP application and does not/can not know about
packet details.

> as i read through the archives, i ran accross something called
> connection-pinning, and if i understand it correctly :-), it allows
> for the originating client's address to be used by squid?

Not quite what connection pinning is about, but it is a requirement if
one wants a truly transparent proxy and is why it is mentioned in the
same thread.

What you need to make Squid use the clients IP address is

a) A TCP kernel which allows Squid to freely set the source IP
address

b) A network where this is possible

c) A squid patched/configured to use the TCP kernel feature of 'a'.

It should be noted that all this is a gross hack far outside the
TCP/IP specifications on how hosts may behave on the Internet.

There is two core approaches to the above

a) Use a TCP kernel patch, such as the Linux TPROXY patch.

b) Use NAT services, by assigning a range of private IP addresses to
the Squid server and teach Squid to use the correct IP address per
client then NAT these to the clients real IP in a suitable NAT
enabled router/gateway. This approach does not require any patching
unless you have very many clients.

> is this possible? is there a way to attribute every packet
> that squid sends (assuming no icp) to a client?

Everything is possible, it is only a matter of how much work is needed
to make it true.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com

Received on Sun Jul 13 2003 - 05:32:04 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:57 MST