RE: [squid-users] Really transparent proxy

From: Facundo Vilarnovo <fvilarnovo@dont-contact.us>
Date: Wed, 16 May 2007 01:05:16 -0300

Zul, we already do that... it doesn't chance anything :(

I don't remember right now how it was but, in option 1 via off, forward off, show that I'm BEHIND a proxy, but show the client ip address. Option 2: Without via and forward doesn't, but shows the squid ip address, instead the clients ip, I don't know if you understand me :(

But it was something like that :(

Tnxs to all
Facundo Vilarnovo

-----Mensaje original-----
De: Facundo Vilarnovo [mailto:fvilarnovo@ertach.com]
Enviado el: Miércoles, 16 de Mayo de 2007 12:50 a.m.
Para: squid-users@squid-cache.org
CC: Nicolas Royo
Asunto: RE: [squid-users] Really transparent proxy

Here it goes!
#####squid Conf.#####
http_port 3128 tproxy transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
        acl Safe_ports port 80 # http
        acl Safe_ports port 21 # ftp
        acl Safe_ports port 443 # https
        acl Safe_ports port 70 # gopher
        acl Safe_ports port 210 # wais
        acl Safe_ports port 1025-65535 # unregistered ports
        acl Safe_ports port 280 # http-mgmt
        acl Safe_ports port 488 # gss-http
        acl Safe_ports port 591 # filemaker
        acl Safe_ports port 777 # multiling http
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 0.0.0.0/0.0.0.0
http_access allow our_networks
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname debian-sq
wccp2_router y.y.y.y
 wccp_version 4
 wccp2_forwarding_method 1
 wccp2_return_method 1
 wccp2_assignment_method 1
coredump_dir /usr/local/squid/var/cache
###### end of file #####

Here are the Iptables:
squid-RC9:/usr/local/squid/etc# iptables -L -t tproxy Chain PREROUTING (policy ACCEPT)
target prot opt source destination
TPROXY tcp -- anywhere anywhere tcp dpt:www TPROXY redirect 0.0.0.0:3128
TPROXY tcp -- anywhere anywhere tcp dpt:www TPROXY redirect 0.0.0.0:80
TPROXY tcp -- anywhere anywhere tcp dpt:www TPROXY redirect 0.0.0.0:80
TPROXY tcp -- anywhere anywhere tcp dpt:www TPROXY redirect 0.0.0.0:3128

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

if any extra info is needed i have no problem to postit!

Thnxs all!!
Facundo Vilarnovo

-----Mensaje original-----
De: Facundo Vilarnovo [mailto:fvilarnovo@ertach.com]
Enviado el: Miércoles, 16 de Mayo de 2007 12:26 a.m.
Para: zulkarnain; squid-users@squid-cache.org
CC: Nicolas Royo
Asunto: RE: [squid-users] Really transparent proxy

Here it goes!
#####squid Conf.#####
http_port 3128 tproxy transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
        acl Safe_ports port 80 # http
        acl Safe_ports port 21 # ftp
        acl Safe_ports port 443 # https
        acl Safe_ports port 70 # gopher
        acl Safe_ports port 210 # wais
        acl Safe_ports port 1025-65535 # unregistered ports
        acl Safe_ports port 280 # http-mgmt
        acl Safe_ports port 488 # gss-http
        acl Safe_ports port 591 # filemaker
        acl Safe_ports port 777 # multiling http
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 0.0.0.0/0.0.0.0
http_access allow our_networks
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname debian-sq
wccp2_router y.y.y.y
 wccp_version 4
 wccp2_forwarding_method 1
 wccp2_return_method 1
 wccp2_assignment_method 1
coredump_dir /usr/local/squid/var/cache
###### end of file #####

Here are the Iptables:
squid-RC9:/usr/local/squid/etc# iptables -L -t tproxy
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
TPROXY tcp -- anywhere anywhere tcp dpt:www
TPROXY redirect 0.0.0.0:3128
TPROXY tcp -- anywhere anywhere tcp dpt:www
TPROXY redirect 0.0.0.0:80
TPROXY tcp -- anywhere anywhere tcp dpt:www
TPROXY redirect 0.0.0.0:80
TPROXY tcp -- anywhere anywhere tcp dpt:www
TPROXY redirect 0.0.0.0:3128

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

if any extra info is needed i have no problem to postit!

Thnxs all!!
Facundo Vilarnovo

-----Mensaje original-----
De: zulkarnain [mailto:sizulku@yahoo.com]
Enviado el: Martes, 15 de Mayo de 2007 11:22 p.m.
Para: Facundo Vilarnovo; squid-users@squid-cache.org
CC: Nicolas Royo
Asunto: RE: [squid-users] Really transparent proxy

--- Facundo Vilarnovo <fvilarnovo@ertach.com> wrote:
> Now we got squid+wccp+tproxy module working but,
> some sites like http://www.whatsmyipaddress.com/
> shows the client origin ip address (that's correct)
> and ALSO shows that is behind and PROXY!, any ideas
> of what can be wrong?, if is needed we may post our
> configuration file of squid!
>

Have you turn OFF "via" and "forwarded_for" on your
squid.conf?

-Zul

 
________________________________________________________________________
____________
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.
http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php
Received on Tue May 15 2007 - 22:05:17 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT