Re: [squid-users] How to set the IP of the real originator in HTTP requests (instead of Squid's IP)?

From: Leonardo Rodrigues <leolistas_at_solutti.com.br>
Date: Tue, 29 Nov 2011 17:58:52 -0200

     tcp_outgoing_address is probably what you're looking for.

     from the default squid.conf:

# TAG: tcp_outgoing_address
# Allows you to map requests to different outgoing IP addresses
# based on the username or source address of the user making
# the request.
#
# tcp_outgoing_address ipaddr [[!]aclname] ...
#
# Example where requests from 10.0.0.0/24 will be forwarded
# with source address 10.1.0.1, 10.0.2.0/24 forwarded with
# source address 10.1.0.2 and the rest will be forwarded with
# source address 10.1.0.3.
#
# acl normal_service_net src 10.0.0.0/24
# acl good_service_net src 10.0.1.0/24 10.0.2.0/24
# tcp_outgoing_address 10.1.0.1 normal_service_net
# tcp_outgoing_address 10.1.0.2 good_service_net
# tcp_outgoing_address 10.1.0.3
#
# Processing proceeds in the order specified, and stops at first fully
# matching line.
#
# Note: The use of this directive using client dependent ACLs is
# incompatible with the use of server side persistent connections. To
# ensure correct results it is best to set
server_persistent_connections
# to off when using this directive in such configurations.
#
#Default:
# none

Em 29/11/11 14:35, Leonardo escreveu:
> Dear all,
>
> We have a Cisco ASA firewall between our internal network and the
> Internet. Our Squid transparent proxy (v3.1.7) is just behind the
> firewall.
>
> Our problem concerns IP address translation from private to public.
> Specifically, we would like that clients go out on the Web with a
> public IP address which depends on the subnet the client is in.
> However, we can't differentiate the addresses as the Cisco ASA sees
> only the IP private address of the Squid as originator of all HTTP
> requests.
> I haven't set the directive forwarded_for in my Squid config, which
> should mean that, by default, the real originator is passed in a
> X-Forwarded-For header.
>
> I'd like to know if there is something else that can be done on the
> Squid side, or if now I need to work solely on the config of the Cisco
> ASA (as I believe).
>
> Thanks for your time and your answers,
>
> L. 

-- 
	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br
	Minha armadilha de SPAM, NÃO mandem email
	gertrudes_at_solutti.com.br
	My SPAMTRAP, do not email it
Received on Tue Nov 29 2011 - 19:59:06 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 30 2011 - 12:00:03 MST