[squid-users] explicit proxy and iptables

Matus UHLAR - fantomas uhlar at fantomas.sk
Tue Apr 28 13:02:23 UTC 2020

On 27.04.20 15:27, Vieri wrote:
>I've been using Squid + TPROXY in transparent sslbump mode for quite a
> while now, but I'd like to use an explicit proxy with user authentication
> instead.
>I have Squid on my first firewall/gateway node, and then I have another
> gateway (node 2) where all the HTTP requests go through, with multiple
> ISPs.
>In transparent tproxy mode, I can obviously mark packets according to the
> "real" client src IP addresses and then use, eg., different ISPs based on
> client src addr.
>In the explicit setup, the gateway (node 2) only sees one IP address as
> HTTP source -- the one on the "first node" with the explicit Squid proxy. 
> I presume that in this case there is NO WAY I can somehow inform the
> gateway on node 2 of the "real" clent IP addresses?

Correct.  However, you can configure first proxy to add proper
X-Forwarded-For address and configure the second proxy to trust the
X-Forwarded-For from the first proxy, so the second proxy can make decision
on how to route the request, based on trusted client's source IP address
passed through X-Forwarded-For header.

Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.

More information about the squid-users mailing list