Re: [squid-users] real client ip address instead of squid Ip address

From: Khemara Lyn <lin.kh_at_wicam.com.kh>
Date: Tue, 20 Sep 2011 10:12:52 +0700

Dear Sir Amos,

Thank you for your response and being helpful always.

My squid.conf does have that "forwarded_for on" but I think, those
public upload/download file-sharing sites (fileserve, rapid share, etc.)
are smart enough to detect the header.

Or is there a way to find out all the IP ranges used by those sites?
I would like to be able to block those IP ranges in WCCP access list so
that accesses to those sites will bypass my Squid box.

Regards,
Khem

On 09/20/2011 08:53 AM, Amos Jeffries wrote:
> On Mon, 19 Sep 2011 14:59:54 +0700, Khemara Lyn wrote:
>> On 09/18/2011 04:38 PM, Saleh Madi wrote:
>>> Dears,
>>>
>>> How could I configure the squid appear the clients real IP address
>>> instead of the squid IP address,
>>> the problem is that all clients get the same IP address which make
>>> problems in file sharing websites like mega upload, rapidshare and
>>> others websites
>>> we use squid in transparent mode with WCCP , please advice how to
>>> resolve this problem.
>>>
>>> Many thanks,
>>> Saleh Madi
>>>
>>>
>>> Hi,
>>
>> I have the same query but doubt if it is possible at all, esp. with
>> WCCP.
>>
>> What I could do so far is that, I configure the Squid box to have
>> multiple IPs and multiple gateways (5 of them) with IPRoute2, "ip
>> route". Each time, it could appear as a different IP but still get
>> blocked by those file-sharing Web sites as you mentioned.
>>
>> I would greatly appreciate for any better idea.
>>
>> Thanks & regards,
>> Khem
>
>
> WCCP passes packets unchanged to the Squid box.
>
> You need two things:
> 1) to pass the IP through, using "forwarded_for on". Which permits
> Squid to send the X-Forwarded-For header with Client IP.
> 2) the website to be smart enough to make use of the header. Some
> sites do not support or choose not to trust that HTTP header.
>
>
> Alternatively you could setup a transparent proxy with the TPROXY
> feature. Spoofing the client inbound IP on the outbound traffic. This
> does work with WCCP, but is a bit tricky.
> http://wiki.squid-cache.org/Features/Tproxy4
>
> Amos
>
>
Received on Tue Sep 20 2011 - 03:13:01 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 20 2011 - 12:00:03 MDT