RE: [squid-users] Really transparent proxy

From: Facundo Vilarnovo <fvilarnovo@dont-contact.us>
Date: Wed, 16 May 2007 18:15:38 -0300

Chris,
 
Thanx for your quick answer.
We´ve also tried that, now that you mencion it, we are still trying a few combinations of the following lines.
 
header_access Via deny all / none
header_access X-Forwarded-For deny all / none
via off / on / deny
forwarder_for off / on / deny
 
The best result we´ve got is that is not detecting the proxy server..........but it is still going out with proxy ips.
 
Some conclusion left we are studying are:
 
-Our squid has only one nic, not two like lots of examples here. (eth0 + gre0)
-We are using REDIRECT in iptables instead of nat........has anything to do with that?
-We are trying transparently (not setting proxy con IE) and forcing it.......results are the same i guess?

-----Mensaje original-----
De: Chris Robertson [mailto:crobertson@gci.net]
Enviado el: Miércoles, 16 de Mayo de 2007 05:36 p.m.
Para: squid-users@squid-cache.org
Asunto: Re: [squid-users] Really transparent proxy

Facundo Vilarnovo wrote:
> Zul,
> What variables are you referring to? We test setting up the proxy ip on the IE.
> Pointing to port 3128 using http://www.whatsmyipaddress.com, as a result it says it passes the original source ip address (client's ip), but detects a proxy server. Doing totally "transparent" with wccp, nothing configured on IE, we get the same results.
> The point is we are still getting the proxy detected. Using variables like via and XFF, the result of using the XFF and via is that passes the client ip address or don't.

While the above is correct...

> it's seems to have nothing to do with the problem of the cache being visible or don't.
>

...this is not.

> Via off XFF off = clients source ip it's shown, proxy detected.
>

Makes sense. You are still transmitting a X-Forwarded-For header. Just
not populating it with data.

> Via on XFF on = clients source ip it's not shown (shows proxy ip), proxy not detected.
>

This is a bit of a mystery. Perhaps the script is being tricked by
having a valid XFF and VIA header which don't agree with the client
source address.

> Tnxs!
> Facundo Vilarnovo
>

In any case, setting the tag "forwarded_for" to "off" in the squid.conf
file does not prevent its addition by Squid (see
http://www.squid-cache.org/Versions/v2/HEAD/cfgman/forwarded_for.html).
Setting "via off" only prevents the instance of Squid where it is set
from adding its own Via header. Try using...

header_access Via deny all
header_access X-Forwarded-For deny all

...and accessing whatsmyipaddress.com. You might have better luck.

Chris
Received on Wed May 16 2007 - 15:15:38 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT