Re: [squid-users] IP passthrough the cache

From: Laurent HENRY <laurent.henry@dont-contact.us>
Date: Wed, 22 Jan 2003 15:52:51 +0100

I'm ok with the fact squid changes the name of the sender of the IP packet.

To be clearer,
why in this configuration does i have an winXP with IE60 and a win98 with
netscape 4.7 granted to access while passing through the proxy (the web
server is supposed to receive the address of the proxy too in this case) ?
Especially while my Linux with netscape 7.0 and my MacOs 10.2 with IE cannot!

To answer Neal, if the provider would want to accept my proxy all would be
easier you are right, but he insists on his system of per-IP licence !

Le Mercredi 22 Janvier 2003 15:24, vous avez écrit :
> Laurent HENRY wrote:
> > I mean it works using the remote application and passing by the proxy.
> > so i guess it passes by the proxy but the end application doesn't see the
> > proxy address and know it is for one of it registred client.
>
> Yes, that is normal because ip-wise, if SQUID is-in-place
> then any packet has source ip address of the proxy.
> It was discussed in the past , whether squid could forge
> the ip address of the client in the ip packet.
>
> This of course , is impossible , because if
> you look at the network stack, it is an application.
> Meaning that is has no access to ip source and destionation field
> in an ip packet.
>
> M.
>
> > in my squid.conf :
> > forwarded_for on
> >
> > Le Mercredi 22 Janvier 2003 15:01, Marc Elsen a écrit :
> > > Laurent HENRY wrote:
> > > > Hi,
> > > > thank you for your answer. Unfortunately, i told them the same but
> > > > they don't seem to give a damn about my complains.
> > > > What i don't understand is what (without any special squid
> > > > configuration) it works with some workstations (Win$) and some not at
> > > > all(MacOs/Linux).
> > >
> > > Not sure what you mean by 'it works' here, you mean just Internet
> > > access or using the remote application ?
> > >
> > > > Can you tell me more about the X-Forward and the use of it in this
> > > > particular bad case ?
> > >
> > > From squid.conf.default
> > >
> > >
> > > # TAG: forwarded_for on|off
> > > # If set, Squid will include your system's IP address or name
> > > # in the HTTP requests it forwards. By default it looks like
> > > # this:
> > > #
> > > # X-Forwarded-For: 192.1.2.3
> > > #
> > > # If you disable this, it will appear as
> > > #
> > > # X-Forwarded-For: unknown
> > > #
> > > #Default:
> > > # forwarded_for on
> > >
> > > It remains at the discretion of the remote webserver to use that info,
> > > but as stated, it would probably be very easy to work around such
> > > auth schemes.
> > >
> > > > Le Mercredi 22 Janvier 2003 14:27, vous avez écrit :
> > > > > Laurent HENRY wrote:
> > > > > > hi,
> > > > > >
> > > > > > i come back on an old topic i found in the archives of the
> > > > > > mailing list, a thread named "Passthrough TCP/IP address".
> > > > > > I'm facing exactly the same problem now and i don't know how to
> > > > > > resolve it.
> > > > > >
> > > > > > Some of the client of my network need to connect to a website
> > > > > > using an IP address access lists (for a paying subscription).
> > > > > > My clients can't have Internet access without the proxy, so i
> > > > > > can't give them direct access to the site and bypass the squid as
> > > > > > told in the thread. The foreign webserver wants to see the IP of
> > > > > > the client and only get the IP of my proxy, so they are refused.
> > > > > > Can i configure the proxy to make something resolving the
> > > > > > problem ?
> > > > > >
> > > > > > This case is very hard to understand for me because some client
> > > > > > systems seems to actually pass through and some not;this without
> > > > > > any action from me...
> > > > >
> > > > > Tell the remote server (service), to look at the X-Forwarded-for
> > > > > field in the http request send by out.
> > > > > Usage of this header is controlled in squid.conf.
> > > > >
> > > > > Anyway, we were faced with similar problems in the past : modern
> > > > > webserver will use authentication based upon usernames/password
> > > > > etc.
> > > > >
> > > > > Why , because i a higher level application should use high level
> > > > > authentication schemes (tell them that :-).
> > > > >
> > > > > IP in the current internet world is being hacked-around all the
> > > > > time, NAT-ing , routers+NAT, Firewall-NAT , etc. can make in this
> > > > > world that any ip address can 'represent' many hosts.
> > > > >
> > > > > So they are simply implementing poor auth. schemes,...
> > > > >
> > > > > M.
Received on Wed Jan 22 2003 - 08:09:07 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:47 MST