[squid-users] Cancel this mailing list from Kavin Xiao on 2012-10-23 (squid-users)

From: Kavin Xiao <kavin_at_everfocus.com.cn>
Date: Wed, 24 Oct 2012 08:43:29 +0800

Hi,

How cancel this mailing list

Thanks

----- Original Message -----
From: "Amos Jeffries" <squid3_at_treenet.co.nz>
To: <squid-users_at_squid-cache.org>
Sent: Wednesday, October 24, 2012 8:35 AM
Subject: Re: [squid-users] Squid 3.1 Client Source Port Identity Awareness

> On 24.10.2012 07:55, Alexander.Eck wrote:
>> Hi everyone,
>>
>> is it possible to have squid use the same Source Port to connect to
>> the Web=
>> server as the client uses to connect to squid ?
>>
>
> No. One gets errors when bind() is used on an already open port.
> connect() and sendto() do not supply the OS with IP:port details.
>
>
>>
>> My problem is the following setup:
>>
>> Various Citrix Server
>> URL Filtering with Identity Awareness
>> Squid 3.1 as Cache Proxy
>>
>> I had to install a Terminal Server Identity Agent on every Citrix
>> Server to=
>> distinguish the users.
>>
>> The Identity Agent assigns port ranges to every user, to distinguish
>> them.
>>
>>
>> Problem is:
>> In my firewall logs i can see the identity of the user for the
>> request from=
>> the citrix server to the proxy (proxy is in the dmz). But i can't
>> see the =
>> identity from the request from the proxy to the Internet.
>>
>> My guess is, that this is because squid isn't using the same Source
>> Port as=
>> the client, or is not forwarding the Source Port.
>
> "client" also does not mean what you think it means. Squid is a client
> in HTTP and can generate new or different requests along with those
> aggregated from its inbound clients.
>
> HTTP/1.1 is also stateless with multiplexing and pipelines. Any
> outgoing connection can be shared by requests received between multiple
> inbound client connections. There is no relationship between inbound and
> outbound - adding a stateful relationship (pinning) degrades performance
> a LOT.
>
> How does your fancy client identification system correlate them
> cheeses?
>
> PS: the TCP/IP firewall level is not a good place to log HTTP level
> client details.
>
>>
>> Did anybody try something similiar and got it working ? Is squid
>> capable o=
>> f doing this or do i have an error in reasoning about my setup ?
>>
>> Any help is appreciated :)
>
>
> Amos
Received on Wed Oct 24 2012 - 00:43:42 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 24 2012 - 12:00:04 MDT