[squid-users] many vms behind router to same proxy ips problems !
snakeeyes
ahmed.zaeem at netstream.ps
Sat Feb 21 01:37:51 UTC 2015
Hi ,
I have squid with many ips already installed with and configured well with
tcp_outgoing directive.
The provlem that I face is ;
When many pc behind a router with same public ip use the proxy ips.
Assume I have 2 pcs
Pc1===> Using proxy ip 1.1.1.1
Pc2===>using proxy 1.1.1.2
Note that 1.1.1.1 & 1.1.1.2 are just for example and we assume those ips are
existed on the main server squid.
Pc1 & pc2 ips are 192.168.1.100 & 192.168.1.101 and their public ip is
31.220.243.0
I go to pc1 and type "whatismyipaddrss.com " I see 1.1.1.1
Then I go to pc2 and type "whatismyipaddrss.com " I see 2.2.2.2
Now lets go back to pc1 and refresh the page whatismyipaddrss.com ===?>
then I see 2.2.2.2 not 1.1.1.1
This is my problem.
Why sometimes after somefrefresh I get the other ip not ip I put in in
browser ??
Could it because same pcs has same public ip ??
I tried to put por for each ip like 1.1.1.1:1333 and 2.2.2.2:1222 .... but
same resukt , the ip keep changes
Also I disabled cacing on squid but no luck .
Is that a natural thing ?
Or squid can be optimized ?
[root at dbmedia ~]# cat /etc/squid/squid.conf
# Lockdown Procedures
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
#
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 1111
http_port xxx.27.65:1165
http_port xx.27.68:1168
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
#cache_dir null
cache deny all
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
###############################
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access All allow all
########################################
acl ipxx myip xx
acl ipxx myip xx
acl ipxx myip xx
#######################################
tcp_outgoing_address xxxx ipxxx
tcp_outgoing_address xxxx ipxxx
tcp_outgoing_address xxxx ipxxx
tcp_outgoing_address xxxx ipxxx
#####################################
squid -v
Squid Cache: Version 3.1.10
configure options: '--build=i386-redhat-linux-gnu'
'--host=i386-redhat-linux-gnu' '--target=i686-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
'--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--enable-internal-dns'
'--disable-strict-error-checking' '--exec_prefix=/usr'
'--libexecdir=/usr/lib/squid' '--localstatedir=/var'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=$(localstatedir)/log/squid'
'--with-pidfile=$(localstatedir)/run/squid.pid'
'--disable-dependency-tracking' '--enable-arp-acl'
'--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain
-NTLM,SASL,DB,POP3,squid_radius_auth'
'--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth'
'--enable-digest-auth-helpers=password,ldap,eDirectory'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_
group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--with-large-files' '--enable-linux-netfilter'
'--enable-referer-log' '--enable-removal-policies=heap,lru' '--enable-snmp'
'--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log'
'--enable-wccpv2' '--enable-esi' '--with-aio' '--with-default-user=squid'
'--with-filedescriptors=16384' '--with-dl' '--with-openssl'
'--with-pthreads' 'build_alias=i386-redhat-linux-gnu'
'host_alias=i386-redhat-linux-gnu' 'target_alias=i686-redhat-linux-gnu'
'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom
-fasynchronous-unwind-tables -fpie' 'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g -pipe
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom
-fasynchronous-unwind-tables -fpie'
--with-squid=/builddir/build/BUILD/squid-3.1.10
cheers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150220/eb4652ef/attachment-0001.html>
More information about the squid-users
mailing list