Re: [squid-users] Detect source IP Address via Squid

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 29 Jul 2009 20:48:48 +1200

Farhad Ibragimov wrote:
> Dear Amos
>
> Please look at this
>
> Client ---> Router with WCCP ---> Proxy squid(3.0.15)---> Apache
>
> Apache see request from Proxy squid server . My questions is , is it
> possible to see requested ip address from Client in Apache logs file ? If yes , how can i
> do this ?

Squid passes the IP on to Apache in the X-Forwarded-For: header.
Apache needs to log this header content.

Where there are multiple IPs listed in it; the first is the client that
contacted Squid.
  The last is _probably_ the real client. Can contain forged values so
trust decreases away from the machines you can identify. The first
listed IP was added by a trusted Squid, so it must be right, second
maybe not, etc.

>
> My configuration
> Linux "MY DOMAIN" 2.6.18-128.1.16.el5 #1 SMP Tue Jun 30 06:07:26 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
>
>
> # WELCOME TO SQUID 3.0.STABLE15
> # ----------------------------
> http_port 3128 transparent
> cache_mem 1024 MB
> #minimum_object_size 32 KB
> icp_port 0
> wccp2_router "HIDDEN"
> visible_hostname "HIDDEN"
> url_rewrite_children 20
> cache_dir ufs /cache 6000 16 256
> cache_swap_low 90
> cache_swap_high 95

> allow_underscore on

eww! Find a plank and beat the people needing that.

> request_header_max_size 20 KB
> client_persistent_connections on
> server_persistent_connections on
> maximum_object_size_in_memory 50 KB
> cache_replacement_policy heap LFUDA
> maximum_object_size 50 MB
> ######LOG################
> access_log /var/squid/logs/access.log squid
> cache_log /var/squid/logs/cache.log
> cache_store_log /var/squid/logs/store.log
> ###############################
> cache_mgr "HIDDEN"
> httpd_suppress_version_string on
> # SNMP OPTIONS
> # -----------------------------------------------------------------------------
> #snmp_port 1161
> #snmp_access allow snmppublic localhost
> #snmp_access deny all
> cache_effective_user squid
> cache_effective_group squid
> ###############################################################
> acl dayaz dstdomain "HIDDEN"
> always_direct allow "HIDDEN"
> ###############################################################
> refresh_pattern -i \.gif$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.png$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.jpg$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.jpeg$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.pdf$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.zip$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.tar$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.gz$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.tgz$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.exe$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.prz$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.ppt$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.inf$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.swf$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.mid$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.wav$ 43200 100% 43200 override-lastmod override-expire
> refresh_pattern -i \.mp3$ 43200 100% 43200 override-lastmod override-expire
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern (cgi-bin|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> ##########################################
> negative_ttl 0 seconds
> #########################################
> # ACCESS CONTROLS
> ##############################################################
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl mynet src "HIDDEN"
>
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed

Sigh. SO many people not bothering to read the above...

Either change to be your valid networks, or remove completely and keep
your own name(s) for the ACL [ ie "mynet" ].

> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> #
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> # TAG: http_access
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> #http_access allow localnet
> http_access allow mynet
> http_access deny all
>
> icp_access deny all
> htcp_access deny all
>
> hierarchy_stoplist cgi-bin ?
>
> # TAG: debug_options
> # Logging options are set as section,level where each source file
> # is assigned a unique section. Lower levels result in less
> # output, Full debugging (level 9) can result in a very large
> # log file, so be careful. The magic word "ALL" sets debugging
> # levels for all sections. We recommend normally running with
> # "ALL,1".
> #
> #Default:
> # debug_options ALL,1
>
> icp_port 0
> htcp_port 0
> log_icp_queries off
>
> allow_underscore on
>
> # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
> #wccp_version 4
> # wccp2_rebuild_wait on
> # wccp2_forwarding_method 1
> # wccp2_return_method 1
> # wccp2_assignment_method 1
> # wccp2_service standard 0
> # wccp2_weight 10000
> # wccp_address 0.0.0.0
> # wccp2_address 0.0.0.0
>
> # ERROR PAGE OPTIONS
> # -----------------------------------------------------------------------------
> # error_directory /squid/share/errors/templates
> email_err_data on
>
> client_db on
> coredump_dir /var/squid/cache
>
>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17
   Current Beta Squid 3.1.0.12
Received on Wed Jul 29 2009 - 08:49:01 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 29 2009 - 12:00:05 MDT