Re: [squid-users] whitelisted IP problem

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Tue, 20 Mar 2012 01:30:25 +0200

On 20/03/2012 00:36, Vijay S wrote:
> Sorry i cannot share the url and hence im replacing the feed as
> http://feeds.example.com/newsfeeds.xml
>
> On Tue, Mar 20, 2012 at 1:37 AM, Eliezer Croitoru<eliezer_at_ngtech.co.il> wrote:
>> On 19/03/2012 18:58, Vijay S wrote:
>>>
>>> Hi
>>>
>>> I have a my server box hosting apache and squid on centos machine.
>>> When I send my request for clients feeds it works as they have
>>> whitelisted my IP address, and when I make the call via squid its give
>>> me invalid IP. I checked the access log for more information and found
>>> out instead of sending my IP address its sending the localhost IP
>>> address (127.0.0.1).
>>
>> i'm still trying to understand your network infrastructure.
>> you have one apache server that also hosts squid?
> Yes
>
>> can you give the logs output?
> 1332194292.909 1 192.168.1.10 TCP_DENIED/403 3480 CONNECT
> feeds.example.com:80 - NONE/- text/html
> 1332194335.536 1 192.168.1.10 TCP_DENIED/403 3480 CONNECT
> feeds.example.com:80 - NONE/- text/html
> 1332194399.852 1 192.168.1.10 TCP_DENIED/403 3480 CONNECT
> feeds.example.com:80 - NONE/- text/html
>
>
>> what is the /etc/hosts content?
> 122.166.1.184 localhost
> 122.166.1.184 reactmedia.com
> 122.166.1.184 rm117
>
>
>> by clients you mean you clients of squid?
> there is no squid im accessing a feeds URL
> http://feeds.example.com/newsfeeds.xml
>
>> what do you mean by whitelisted your ip address?
> request from my ip only can access this feeds. which they have
> configured. it opens when i access from browser but when i called from
> squid using php curl. it doesnot works
>
>> is the apache server is listening on port 80?
> Yes

this part made me understand the problem.
if you do want to understand the problem try get into this address:
http://www1.ngtech.co.il/myip.php
i think the problem is that the proxy is forwarding a "x_forward" header
on the http request what's making the problem.
if your proxy is using "the x_forward" you will see it in the page.

in order to disable this header you can add to your squid.conf this
directive:
request_header_access X-Forwarded-For deny Safe_ports

if it is indeed what caused the problem you should be ok.

Regards,
Eliezer

>
>> can you access it directly by ip + port 80? (no proxy)
> yes
>
>> when with proxy its not working?
> True
>
>> if its so then try to change the hosts file with the hostname in it to
>> external_ip www.hostname.domain
> its not the domain to ip mapping issue, when my request is sent its
> sent as 192.168.1.10 instead 122.166.1.184. and hence the client url
> is blocking me considering as the ip is not listed in there
> whitelisted IP's opend for me to access.
>
>
>>
>> Regards,
>> Eliezer
>>
>>
>>> I googled a little and found that using tcp_outgoing_address directive
>>> I can control the outgoing IP address and to my bad luck this didn’t
>>> work
>>>
>>> My configuration file is as follows
>>>
>>> acl all src all
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/255.255.255.255
>>> acl to_localhost dst 127.0.0.0/32
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl CONNECT method CONNECT
>>>
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>>
>>> http_access allow localhost
>>> http_access deny all
>>>
>>> icp_access allow all
>>>
>>> http_port 3128
>>>
>>> visible_hostname loclahost
>>> debug_options ALL,1 33,2 28,9
>>> tcp_outgoing_address 122.166.1.184
>>>
>>> Can somebody help me with configuration for the my servers. It will be
>>> of great help.
>>>
>>> Thanks& Regards
>>> Vijay
>>
>>
>>
>>
>> --
>> Eliezer Croitoru
>> https://www1.ngtech.co.il
>> IT consulting for Nonprofit organizations
>> elilezer<at> ngtech.co.il
>>

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
elilezer <at> ngtech.co.il
Received on Mon Mar 19 2012 - 23:57:12 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 20 2012 - 12:00:04 MDT