On 24.10.2012 07:55, Alexander.Eck wrote:
> Hi everyone,
>
> is it possible to have squid use the same Source Port to connect to
> the Web=
> server as the client uses to connect to squid ?
>
No. One gets errors when bind() is used on an already open port.
connect() and sendto() do not supply the OS with IP:port details.
>
> My problem is the following setup:
>
> Various Citrix Server
> URL Filtering with Identity Awareness
> Squid 3.1 as Cache Proxy
>
> I had to install a Terminal Server Identity Agent on every Citrix
> Server to=
> distinguish the users.
>
> The Identity Agent assigns port ranges to every user, to distinguish
> them.
>
>
> Problem is:
> In my firewall logs i can see the identity of the user for the
> request from=
> the citrix server to the proxy (proxy is in the dmz). But i can't
> see the =
> identity from the request from the proxy to the Internet.
>
> My guess is, that this is because squid isn't using the same Source
> Port as=
> the client, or is not forwarding the Source Port.
"client" also does not mean what you think it means. Squid is a client
in HTTP and can generate new or different requests along with those
aggregated from its inbound clients.
HTTP/1.1 is also stateless with multiplexing and pipelines. Any
outgoing connection can be shared by requests received between multiple
inbound client connections. There is no relationship between inbound and
outbound - adding a stateful relationship (pinning) degrades performance
a LOT.
How does your fancy client identification system correlate them
cheeses?
PS: the TCP/IP firewall level is not a good place to log HTTP level
client details.
>
> Did anybody try something similiar and got it working ? Is squid
> capable o=
> f doing this or do i have an error in reasoning about my setup ?
>
> Any help is appreciated :)
Amos
Received on Wed Oct 24 2012 - 00:35:57 MDT
This archive was generated by hypermail 2.2.0 : Wed Oct 24 2012 - 12:00:04 MDT