Hi,
Any suggestions about this problem.
Thanks and Best Regards,
Saleh
> Dears,
>
> I have setup a transparent proxy with the TPROXY feature and WCCP.
>
> Below is my squid configuration
>
> http_port SQUIDIP:3129 tproxy disable-pmtu-discovery=always
>
> wccp2_router ROUTERIP
> wccp_version 2
> wccp2_forwarding_method 2
> wccp2_return_method 2
> wccp2_assignment_method mask
> wccp2_service dynamic 87
> wccp2_service_info 87 protocol=tcp flags=src_ip_hash priority=240 ports=80
> wccp2_service dynamic 97
> wccp2_service_info 97 protocol=tcp flags=dst_ip_hash,ports_source
> priority=240 ports=80
>
>
> iptables -t mangle -F
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -i eth0 -p tcp ! -s SQUIDIP --dport 80 -j
> TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
>
> ip rule add fwmark 1 lookup 100
> ip -f inet route add local 0.0.0.0/0 dev eth0 table 100
>
> Squid Version: 3.2.0.12 compiled with libcap2
> Kernel : 2.6.37-1
>
> It works with out any problem but in whatismyip.com I see the squid real
> IP address not the real client IP address, I would greatly appreciate for
> any idea to resolve this problem.
>
> Many thanks and Best Regards,
> Saleh
>
>> 2011/9/19 Khemara Lyn <lin.kh_at_wicam.com.kh>:
>>> Dear Sir Amos,
>>>
>>> Thank you for your response and being helpful always.
>>>
>>> My squid.conf does have that "forwarded_for on" but I think, those
>>> public
>>> upload/download file-sharing sites (fileserve, rapid share, etc.) are
>>> smart
>>> enough to detect the header.
>>>
>>> Or is there a way to find out all the IP ranges used by those sites?
>>> I would like to be able to block those IP ranges in WCCP access list so
>>> that
>>> accesses to those sites will bypass my Squid box.
>>>
>>> Regards,
>>> Khem
>>>
>>> On 09/20/2011 08:53 AM, Amos Jeffries wrote:
>>>>
>>>> On Mon, 19 Sep 2011 14:59:54 +0700, Khemara Lyn wrote:
>>>>>
>>>>> On 09/18/2011 04:38 PM, Saleh Madi wrote:
>>>>>>
>>>>>> Dears,
>>>>>>
>>>>>> How could I configure the squid appear the clients real IP address
>>>>>> instead of the squid IP address,
>>>>>> the problem is that all clients get the same IP address which make
>>>>>> problems in file sharing websites like mega upload, rapidshare and
>>>>>> others
>>>>>> websites
>>>>>> we use squid in transparent mode with WCCP , please advice how to
>>>>>> resolve this problem.
>>>>>>
>>>>>> Many thanks,
>>>>>> Saleh Madi
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>
>>>>> I have the same query but doubt if it is possible at all, esp. with
>>>>> WCCP.
>>>>>
>>>>> What I could do so far is that, I configure the Squid box to have
>>>>> multiple IPs and multiple gateways (5 of them) with IPRoute2, "ip
>>>>> route". Each time, it could appear as a different IP but still get
>>>>> blocked by those file-sharing Web sites as you mentioned.
>>>>>
>>>>> I would greatly appreciate for any better idea.
>>>>>
>>>>> Thanks & regards,
>>>>> Khem
>>>>
>>>>
>>>> WCCP passes packets unchanged to the Squid box.
>>>>
>>>> You need two things:
>>>> 1) to pass the IP through, using "forwarded_for on". Which permits
>>>> Squid
>>>> to send the X-Forwarded-For header with Client IP.
>>>> 2) the website to be smart enough to make use of the header. Some
>>>> sites
>>>> do not support or choose not to trust that HTTP header.
>>>>
>>>>
>>>> Alternatively you could setup a transparent proxy with the TPROXY
>>>> feature.
>>>> Spoofing the client inbound IP on the outbound traffic. This does work
>>>> with
>>>> WCCP, but is a bit tricky.
>>>> http://wiki.squid-cache.org/Features/Tproxy4
>>>>
>>>> Amos
>>>>
>>>>
>>>
>>>
>>
>> Maybe you may use a spool of public keys and also use squid
>> url_rewrite capabilitie of 2.7 to cache file so this will reduce that
>> symptom. How may IP's, how to configure squid is not easy to say, it
>> requires analysis but it is a workarround if the X-Forwarded doesnt
>> work.
>>
>> Khem, it is nice to know of you. Please contact me offline.
>>
>> LD
>> http://www.twitter.com/ldlq
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
Received on Tue Sep 20 2011 - 13:31:07 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 21 2011 - 12:00:02 MDT