[squid-users] forwarded_for problems log client ip apache 2.4
L.P.H. van Belle
belle at bazuin.nl
Thu Jan 28 13:38:22 UTC 2016
Hai,
I having some troubles to get my client ip (and/or hostname) logged in my apache webserver.
I do think this is something in my squid setup, but i can find it..
So if anyone can help me out a bit, would be great.
I’ve tested with the forwarded_for options tried all options here.
http://www.squid-cache.org/Versions/v3/3.5/cfgman/forwarded_for.html
im using Debian Jessie, Apache 2.4 with mod_remoteip
http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipheader
My settings for remoteip ( and yes the modules is enabled )
a2query -m | grep remote
remoteip (enabled by site administrator)
<IfModule mod_remoteip>
# for remote proxy setup
RemoteIPHeader X-Forwarded-For
# for cluster setup
#RemoteIPHeader X-Real-IP
RemoteIPTrustedProxy 127.0.0.1/8
RemoteIPTrustedProxy 192.168.x.x/24
RemoteIPTrustedProxy 192.168.x.x/24
RemoteIPTrustedProxy prxy1.internal.domain.tld
RemoteIPTrustedProxy prxy2.internal.domain.tld
#original : LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
</IfModule>
any tips on howto debug this, i did find lots of things with google, but none worked for me.
This is my (sanitized) squid config, default values are not shown.
Any improvement tips are welkom ;-) but my bigest problem now is getting the ip of the client in my webserver logs.
Greetz,
Louis
# squid 3.5.12 config
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth -d \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/prxy1.internal.domain.tld at REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOMAIN
auth_param negotiate children 50 startup=10 idle=1
auth_param negotiate keep_alive on
auth_param basic program /usr/lib/squid/basic_ldap_auth -R \
-b "ou=domain,dc=internal,dc=domain,dc=tld" \
-D changed_to_protect_myself at internal.domain.tld -W /etc/squid/private/ldap-bind \
-f (sAMAccountName=%s) \
-h dc2.internal.domain.tld \
-h dc1.internal.domain.tld
auth_param basic children 5 startup=5 idle=1
auth_param basic realm Internet Proxy Autorisation
auth_param basic credentialsttl 2 hours
authenticate_cache_garbage_interval 2 hour
authenticate_ttl 2 hour
authenticate_ip_ttl 2 hour
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
## PC Networks
acl localnet src 192.168.XXX.0/24
acl localnet src 10.XXX.0.0/24
acl localnet src 10.XXX.1.0/24
acl localnet src 10.XXX.2.0/24
acl localnet src 10.XXX.3.0/24
acl localnet src 10.XXX.4.0/24
## Per location/function networks
acl localnet-funct1 src 192.168.XXX.0/24
acl localnet-funct2 src 10.XXX.0.0/24
acl localnet-funct3 src 10.XXX.1.0/24
acl localnet-funct4 src 10.XXX.2.0/24
acl localnet-funct5 src 10.XXX.3.0/24
acl localnet-funct6 src 10.XXX.4.0/24
acl localnet-funct7 src 10.XXX.210.0/24
acl localnet-funct8 src 172.20.XXX.0/24
acl localnet-funct1-server-range src 192.168.XXX.XXX-192.168.XXX.XXX
acl localnet-funct1-mailhopper src 192.168.XXX.XXX
acl localnet-funct1-antivirus src 192.168.XXX.XXX
acl localnet-funct1-xen1 src 192.168.XXX.XXX
acl localnet-funct1-gateway src 192.168.XXX.XXX
acl localnet-funct1-mail1 src 192.168.XXX.XXX
acl localnet-funct1-lin-228 src 192.168.XXX.XXX
acl localnet-funct1-lin-009 src 192.168.XXX.XXX
acl localnet-funct1-monitoring src 192.168.XXX.XXX
acl localnet-funct1-lin-003 src 192.168.XXX.XXX
## acl time frames.
acl work-ochtend time MTWHF 08:15-11:59
acl work-pauze time MTWHF 12:00-13:30
acl work-middag time MTWHF 13:31-17:00
acl after-work-hours time MTWHF 17:01-23:59
acl before-work-hours time MTWHF 00:00-08:14
######Block Video Streaming##############
acl media rep_mime_type video/flv video/x-flv
acl media rep_mime_type -i ^video/
acl media rep_mime_type -i ^video\/
acl media rep_mime_type ^application/x-shockwave-flash
acl media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1
acl media rep_mime_type ^application/x-fcs
acl media rep_mime_type ^application/x-mms-framed
acl media rep_mime_type ^video/x-ms-asf
acl media rep_mime_type ^audio/mpeg
acl media rep_mime_type ^audio/x-scpls
acl media rep_mime_type ^video/x-flv
acl media rep_mime_type ^video/mp2t
acl media rep_mime_type ^video/mpeg4
acl media rep_mime_type ms-hdr
acl media rep_mime_type x-fcs
acl mediapr urlpath_regex \.flv(\?.*)?$
acl mediapr urlpath_regex -i \.(avi|mp4|mov|m4v|mkv|flv)(\?.*)?$
acl mediapr urlpath_regex -i \.(mpg|mpeg|avi|mov|flv|wmv|mkv|rmvb|ts|)(\?.*)?$
acl whitelistsites url_regex -i "/etc/squid/acl/domain-customer-sites.txt"
acl whitelistsites url_regex -i "/etc/squid/acl/allowed-sites.txt"
acl whitelistdirect url_regex -i "/etc/squid/acl/allowed-direct-sites.txt"
acl ads dstdom_regex "/etc/squid/acl/blocked-ads-company.txt"
acl blockedsites dstdom_regex -i "/etc/squid/acl/blocked-sites.txt"
acl allow_client_mac arp "/etc/squid/acl/allow-arp-client.txt"
acl downloaders rep_mime_type -i ^application/x-nzb$
acl lan-domainname dstdomain .internal.domain.tld
acl lan-domainname dstdomain .internal2.domain.tld
acl lan-domainname dstdomain .internal3.domain.tld
acl lan-domainname dstdomain .internal4.domain.tld
acl lan-domainname dstdomain .internal5.domain.tld
acl lan-domainname dstdomain .internal6.domain.tld
acl wan-domainname dstdomain .domain.tld
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl windowsupdate dstdomain au.download.windowsupdate.com
acl windowsupdate dstdomain ds.download.windowsupdate.com
acl windowsupdate dstdomain ctldl.windowsupdate.com
acl windowsupdate dstdomain .data.microsoft.com
acl antivirusupdate dstdomain .trendmicro.com
acl antivirusupdate dstdomain safebrowsing.google.com
acl antivirusupdate dstdomain safebrowsing-cache.google.com
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
## SSL PORTS ( you need to define ssl ports also at Safe_ports )
acl SSL_ports port 443 # https
acl SSL_ports port 631 # cups
acl SSL_ports port 888 # 3dm raid manager
acl SSL_ports port 2812 # Monit
acl SSL_ports port 5225 # HP Toolbox
acl SSL_ports port 8000 # ?
acl SSL_ports port 8080 # ?
acl SSL_ports port 16384-16403 # iChat AV (Audio-RTP, RTCP; Video-RTP, RTCP)
acl Safe_ports port 21 # ftp
acl Safe_ports port 80 # http
acl Safe_ports port 70 # gopher
acl Safe_ports port 443 # https
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 667 # darkstat
acl Safe_ports port 777 # multiling http
acl Safe_ports port 888 # 3dm raid manager
acl Safe_ports port 8000 # ?
acl Safe_ports port 8080 # ?
acl Safe_ports port 16384-16403 # iChat AV (Audio-RTP, RTCP; Video-RTP, RTCP)
#acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
## BEFORE AUTH : bypass autorisation ( windows updates/antivirus )
http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet
http_access allow antivirusupdate localnet
## Deny blocked sites first.
http_access deny blockedsites
## Deny Ads servers
http_access deny ads
deny_info TCP_RESET ads
#### Override rules for internal use
http_access allow localnet-funct1-server-range
http_access allow localnet-funct2
http_access allow lan-domainname localnet
http_access allow wan-domainname localnet
http_access allow whitelistdirect localnet
###############################################################################
## AUTH HERE
http_access allow authenticated
###############################################################################
##########Access Lists VIDEO STREAMS #########
http_access allow mediapr allow_client_mac
http_reply_access allow media allow_client_mac
http_access deny mediapr
http_reply_access deny media
################################## other rules.
# whitelisted sites
http_access allow whitelistsites
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
# And finally deny all other access to this proxy
http_access deny all
## iptables port 80 redirect to 3128
http_port 192.168.XXX.XXX:3128 intercept connection-auth=off
## company default port set by GPO (must use hostname.internal.domain.tld for kerberos auth )
http_port 192.168.XXX.XXX:8080
cache_mem 65536 MB
maximum_object_size_in_memory 5 MB
coredump_dir /var/spool/squid
# disable cache_log
cache_log /dev/null
## obligated setting for disableing cache_log
logfile_rotate 0
ftp_user anonymousftp at domain.tld
pinger_enable off
# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------
#cache deny localnet-funct3
#cache deny localnet-funct2
## order is important, first one hit is used.
## windows cache
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 129600 reload-into-ims
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 129600 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 129600 reload-into-ims
# debian cache
refresh_pattern ^(ht|f)tp://.*debian.*/Packages\.(bz2|gz|diff/Index)$ 0 0% 0
refresh_pattern ^(ht|f)tp://.*debian.*/Release(\.gpg)?$ 0 0% 0
refresh_pattern ^(ht|f)tp://.*debian.*/Sources\.(bz2|gz|diff/Index)$ 0 0% 0
refresh_pattern ^(ht|f)tp://.*debian.*/Translation-en_GB\.bz2)$ 0 0% 0
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# range-offset
range_offset_limit 800 MB windowsupdate
range_offset_limit 100 MB antivirusupdate
quick_abort_min -1
forward_timeout 1 minutes
connect_timeout 5 seconds
cache_mgr webmaster at domain.tld
mail_from prxy1 at internal.domain.tld
visible_hostname prxy1.internal.domain.tld
hostname_aliases prxy1.internal.domain.tld
httpd_suppress_version_string on
snmp_port 3401
snmp_access allow localnet-funct1-monitoring
snmp_access deny all
snmp_incoming_address 192.168.XXX.XXX
icp_port 3130
htcp_port 4827
udp_incoming_address 192.168.XXX.XXX
error_default_language nl
err_page_stylesheet /etc/squid/errorpage.css
always_direct allow CONNECT
# ICAP OPTIONS
# -----------------------------------------------------------------------------
## Tested with Squid 3.5.10/3.5.12 squidclamav 6.14
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_persistent_connections on
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all
dns_v4_first on
fqdncache_size 2048
memory_pools on
memory_pools_limit 512 MB
forwarded_for on
refresh_all_ims on
reload_into_ims on
workers 8
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160128/0fb04675/attachment-0001.html>
More information about the squid-users
mailing list