[squid-users] cache peer problem with two squid one Tproxy --->normal Porxy

Amos Jeffries squid3 at treenet.co.nz
Thu Nov 13 04:14:16 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 14/11/2014 2:27 a.m., Ahmed Allzaeem wrote:
> Hi Amos , thanks for all explanation.
> 
> But the problem solved when I added the following directives to the
> tproxy server : ############################## forwarded_for off

* that breaks any possibility of the parent proxy identifying what the
client IP was.

> request_header_access Via deny all

This alone breaks the forwarding loop detection. Just prevents you
seeing whats going on.


> Now everything is working fine with with me
> 

Whatever looping was going on is still happening out of sight and
could bite at any time.

> But one last thing I need.
> 
> I need the tproxy server forward the packet with the original ip of
> the clients .... I mean I want to still keeping the tproxy function
> whereas now all cliewnts to to the peer with the ip of the tproxy
> server.
> 
> I need each user go to the parent proxy with the original ip

 user != client.

In the context of TPROXY a client is a piece of machinery or software.
A User remains a person or logical identity.

When traffic arrives at the parent proxy the user remains whoever
started the transaction the *client* however actually *is* the tproxy
regardless of what the IPs say.

> 
> Can I do it with directive ?

Spoofing arbitrary outgoing IPs is not supported behaviour. (It is
also actively illegal in places.)

If the parent proxy is not receiving TPROXY packets directly it cannot
spoof the outgoing.

To do what you ask will require *both* proxies to be setup as TPROXY,
no cache_peer link between them. The network routing must pass packets
from machine A (users) through machine B (child proxy) through machine
C (parent proxy) as if they were regular routers in a chain.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUZDAYAAoJELJo5wb/XPRjllEIAMo1zAQvRy1cSJaxy64i2ZKy
GaMnSwe14c255aDV2Pmr8tPTWv9udA/g+t1D25fM3RMEiut2aN5n2g6ArWABPpXX
bJOjPZiq+SkaZZq1JLP4ncTfk5TyLxVXxuRJnAAVyGZpX0lyoD/EoXAvBLpZf3EN
Fhx3EnKq0baf/pHtu1UAnuCdU0eVHElAfk/srLpSS42O8O56RAzjjZ24QltIWmys
e1nUIYnbzRhF1krD3QLKTWR14Tq76Ww2syB3TpRlHrH2SH3JNMa2wA+u9pYSKGO8
URSoMguyYjQkF/S6mWxfXHpvJ/hl0uvs8RoMzWVSI7pLP17y3nM7FDaqmlmJqGk=
=NJbJ
-----END PGP SIGNATURE-----

More information about the squid-users mailing list