Re: [squid-users] Squid as Content Accelerator with spoofing of outbound connections ?

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Mon, 18 Jun 2007 22:28:24 +0200

mån 2007-06-18 klockan 19:11 +0100 skrev Darryl L. Miles:
> Squid users,
>
> Is it possible to use Squid as a reverse proxy (Content Accelerator) and
> have the outbound request to the backend server spoof the original
> client IP ?

Yes, it should be possible using tproxy (Linux patch). But I have to
admit that I have never tried this combination..

But also remember that Squid do present the original client IP in the
X-Forwarded-For header, and there is patches to some web servers
including Apache to make the server use this instead of the TCP/IP
connection details.

> What is unclear is if squid/linux can be setup to allow squid to pick
> the client IP address it wants to be using the bind() system call, so
> that the IP can be that of the original request into squid.

Linux doesn't support this via bind() any more. The TCP/IP stack guys
didn't like how it complicated the TCP/IP implementation. For Linux-2.6
there is the tproxy patch from balabit which adds the same functionality
using another interface.

> Another alternative to this would be to employ something like Apache
> JServ, which is currently used as a Java/JSP connector and allows for
> proxying and have Squid speak this protocol.

Shouldn't be too hard I suppose, but I have never looked into the
details of that protocol.

> Linux has a "echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind" while might
> provide part of what is needed to achieve this.

One might think so, but it doesn't. It only allows servers to bind on
addresses not yet available, it doesn't allow any connections to take
place on those IPs until the IP exists on the server..

> There is just one issue that a keen eye might spot, in that how does the
> HTTP webserver know which squid proxy to route the traffic back via ?

You could have one backend server IP per Squid, and policyroute on
that..

Regards
Henrik

Received on Mon Jun 18 2007 - 14:28:29 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT