Re: [squid-users] real client ip address instead of squid Ip address

From: Saleh Madi <saleh.madi_at_hadara.ps>
Date: Tue, 20 Sep 2011 12:56:23 +0300 (IDT)

Dears,

I have setup a transparent proxy with the TPROXY feature and WCCP.

Below is my squid configuration

http_port SQUIDIP:3129 tproxy disable-pmtu-discovery=always

wccp2_router ROUTERIP
wccp_version 2
wccp2_forwarding_method 2
wccp2_return_method 2
wccp2_assignment_method mask
wccp2_service dynamic 87
wccp2_service_info 87 protocol=tcp flags=src_ip_hash priority=240 ports=80
wccp2_service dynamic 97
wccp2_service_info 97 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80

iptables -t mangle -F
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -i eth0 -p tcp ! -s SQUIDIP --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev eth0 table 100

Squid Version: 3.2.0.12 compiled with libcap2
Kernel : 2.6.37-1

It works with out any problem but in whatismyip.com I see the squid real
IP address not the real client IP address, I would greatly appreciate for
any idea to resolve this problem.

Many thanks and Best Regards,
Saleh

> 2011/9/19 Khemara Lyn <lin.kh_at_wicam.com.kh>:
>> Dear Sir Amos,
>>
>> Thank you for your response and being helpful always.
>>
>> My squid.conf does have that "forwarded_for on" but I think, those
>> public
>> upload/download file-sharing sites (fileserve, rapid share, etc.) are
>> smart
>> enough to detect the header.
>>
>> Or is there a way to find out all the IP ranges used by those sites?
>> I would like to be able to block those IP ranges in WCCP access list so
>> that
>> accesses to those sites will bypass my Squid box.
>>
>> Regards,
>> Khem
>>
>> On 09/20/2011 08:53 AM, Amos Jeffries wrote:
>>>
>>> On Mon, 19 Sep 2011 14:59:54 +0700, Khemara Lyn wrote:
>>>>
>>>> On 09/18/2011 04:38 PM, Saleh Madi wrote:
>>>>>
>>>>> Dears,
>>>>>
>>>>> How could I configure the squid appear the clients real IP address
>>>>> instead of the squid IP address,
>>>>> the problem is that all clients get the same IP address which make
>>>>> problems in file sharing websites like mega upload, rapidshare and
>>>>> others
>>>>> websites
>>>>> we use squid in transparent mode with WCCP , please advice how to
>>>>> resolve this problem.
>>>>>
>>>>> Many thanks,
>>>>> Saleh Madi
>>>>>
>>>>>
>>>>>   Hi,
>>>>
>>>> I have the same query but doubt if it is possible at all, esp. with
>>>> WCCP.
>>>>
>>>> What I could do so far is that, I configure the Squid box to have
>>>> multiple IPs and multiple gateways (5 of them) with IPRoute2, "ip
>>>> route". Each time, it could appear as a different IP but still get
>>>> blocked by those file-sharing Web sites as you mentioned.
>>>>
>>>> I would greatly appreciate for any better idea.
>>>>
>>>> Thanks & regards,
>>>> Khem
>>>
>>>
>>> WCCP passes packets unchanged to the Squid box.
>>>
>>> You need two things:
>>>  1) to pass the IP through, using "forwarded_for on". Which permits
>>> Squid
>>> to send the X-Forwarded-For header with Client IP.
>>>  2) the website to be smart enough to make use of the header. Some
>>> sites
>>> do not support or choose not to trust that HTTP header.
>>>
>>>
>>> Alternatively you could setup a transparent proxy with the TPROXY
>>> feature.
>>> Spoofing the client inbound IP on the outbound traffic. This does work
>>> with
>>> WCCP, but is a bit tricky.
>>>  http://wiki.squid-cache.org/Features/Tproxy4
>>>
>>> Amos
>>>
>>>
>>
>>
>
> Maybe you may use a spool of public keys and also use squid
> url_rewrite capabilitie of 2.7 to cache file so this will reduce that
> symptom. How may IP's, how to configure squid is not easy to say, it
> requires analysis but it is a workarround if the X-Forwarded doesnt
> work.
>
> Khem, it is nice to know of you. Please contact me offline.
>
> LD
> http://www.twitter.com/ldlq
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
Received on Tue Sep 20 2011 - 09:57:01 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 20 2011 - 12:00:03 MDT