[squid-users] many vms behind router to same proxy ips problems !

Yuri Voinov yvoinov at gmail.com
Fri Feb 20 15:41:02 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is not squid problem, man.

Did you hear about TCP routing?

This is the thing your need.

21.02.15 7:37, snakeeyes пишет:
> Hi ,
> 
> 
> 
> I have  squid  with many ips already installed with and configured
> well with tcp_outgoing directive.
> 
> 
> 
> The provlem that I face is ;
> 
> When many pc behind a router with same public ip use the proxy
> ips.
> 
> 
> 
> Assume I have 2 pcs
> 
> Pc1===> Using proxy ip 1.1.1.1
> 
> Pc2===>using proxy 1.1.1.2
> 
> Note that 1.1.1.1 & 1.1.1.2 are just for example and we assume
> those ips are existed on the main server squid.
> 
> 
> 
> Pc1 & pc2 ips are 192.168.1.100 & 192.168.1.101 and their public ip
> is 31.220.243.0
> 
> 
> 
> 
> 
> I go to pc1 and type "whatismyipaddrss.com "  I see 1.1.1.1
> 
> 
> 
> Then I go to pc2 and type "whatismyipaddrss.com "  I see 2.2.2.2
> 
> Now lets go back to pc1 and refresh the page  whatismyipaddrss.com
> ===?> then I see 2.2.2.2 not 1.1.1.1
> 
> 
> 
> This is my problem.
> 
> 
> 
> Why sometimes after somefrefresh I get the other ip not ip I put in
> in browser ??
> 
> 
> 
> Could it because same pcs has same public ip ??
> 
> 
> 
> 
> 
> I tried to put por for each ip like 1.1.1.1:1333 and 2.2.2.2:1222
> .... but same resukt , the ip keep changes
> 
> 
> 
> Also I disabled cacing on squid but no luck .
> 
> 
> 
> Is that a natural thing ?
> 
> 
> 
> Or squid can be optimized ?
> 
> 
> 
> [root at dbmedia ~]# cat /etc/squid/squid.conf
> 
> # Lockdown Procedures
> 
> auth_param basic program /usr/lib/squid/ncsa_auth
> /etc/squid/squid_passwd
> 
> acl ncsa_users proxy_auth REQUIRED
> 
> http_access allow ncsa_users
> 
> #
> 
> #
> 
> # Recommended minimum configuration:
> 
> #
> 
> acl manager proto cache_object
> 
> acl localhost src 127.0.0.1/32 ::1
> 
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> 
> 
> 
> # Example rule allowing access from your local networks.
> 
> # Adapt to list your (internal) IP networks from where browsing
> 
> # should be allowed
> 
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal
> network
> 
> acl localnet src 172.16.0.0/12  # RFC1918 possible internal
> network
> 
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal
> network
> 
> acl localnet src fc00::/7       # RFC 4193 local private network
> range
> 
> acl localnet src fe80::/10      # RFC 4291 link-local (directly
> plugged) machines
> 
> 
> 
> acl SSL_ports port 443
> 
> acl Safe_ports port 80          # http
> 
> acl Safe_ports port 21          # ftp
> 
> acl Safe_ports port 443         # https
> 
> acl Safe_ports port 70          # gopher
> 
> acl Safe_ports port 210         # wais
> 
> acl Safe_ports port 1025-65535  # unregistered ports
> 
> acl Safe_ports port 280         # http-mgmt
> 
> acl Safe_ports port 488         # gss-http
> 
> acl Safe_ports port 591         # filemaker
> 
> acl Safe_ports port 777         # multiling http
> 
> acl CONNECT method CONNECT
> 
> 
> 
> #
> 
> # Recommended minimum Access Permission configuration:
> 
> #
> 
> # Only allow cachemgr access from localhost
> 
> http_access allow manager localhost
> 
> http_access deny manager
> 
> 
> 
> # Deny requests to certain unsafe ports
> 
> http_access deny !Safe_ports
> 
> 
> 
> # Deny CONNECT to other than secure SSL ports
> 
> http_access deny CONNECT !SSL_ports
> 
> 
> 
> # We strongly recommend the following be uncommented to protect
> innocent
> 
> # web applications running on the proxy server who think the only
> 
> # one who can access services on "localhost" is a local user
> 
> #http_access deny to_localhost
> 
> 
> 
> #
> 
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> 
> #
> 
> 
> 
> # Example rule allowing access from your local networks.
> 
> # Adapt localnet in the ACL section to list your (internal) IP
> networks
> 
> # from where browsing should be allowed
> 
> http_access allow localnet
> 
> http_access allow localhost
> 
> 
> 
> # And finally deny all other access to this proxy
> 
> http_access deny all
> 
> 
> 
> # Squid normally listens to port 3128
> 
> http_port 1111
> 
> http_port xxx.27.65:1165
> 
> http_port xx.27.68:1168
> 
> # We recommend you to use at least the following line.
> 
> hierarchy_stoplist cgi-bin ?
> 
> 
> 
> # Uncomment and adjust the following to add a disk cache
> directory.
> 
> #cache_dir ufs /var/spool/squid 100 16 256
> 
> #cache_dir null
> 
> cache deny all
> 
> # Leave coredumps in the first cache dir
> 
> coredump_dir /var/spool/squid
> 
> 
> 
> # Add any of your own refresh_pattern entries above these.
> 
> refresh_pattern ^ftp:           1440    20%     10080
> 
> refresh_pattern ^gopher:        1440    0%      1440
> 
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> 
> refresh_pattern .               0       20%     4320
> 
> ###############################
> 
> forwarded_for off
> 
> request_header_access Allow allow all
> 
> request_header_access Authorization allow all
> 
> request_header_access WWW-Authenticate allow all
> 
> request_header_access Proxy-Authorization allow all
> 
> request_header_access Proxy-Authenticate allow all
> 
> request_header_access Cache-Control allow all
> 
> request_header_access Content-Encoding allow all
> 
> request_header_access Content-Length allow all
> 
> request_header_access Content-Type allow all
> 
> request_header_access Date allow all
> 
> request_header_access Expires allow all
> 
> request_header_access Host allow all
> 
> request_header_access If-Modified-Since allow all
> 
> request_header_access Last-Modified allow all
> 
> request_header_access Location allow all
> 
> request_header_access Pragma allow all
> 
> request_header_access Accept allow all
> 
> request_header_access Accept-Charset allow all
> 
> request_header_access Accept-Encoding allow all
> 
> request_header_access Accept-Language allow all
> 
> request_header_access Content-Language allow all
> 
> request_header_access Mime-Version allow all
> 
> request_header_access Retry-After allow all
> 
> request_header_access Title allow all
> 
> request_header_access Connection allow all
> 
> request_header_access Proxy-Connection allow all
> 
> request_header_access User-Agent allow all
> 
> request_header_access Cookie allow all
> 
> request_header_access X-Forwarded-For deny all
> 
> request_header_access Via deny all
> 
> request_header_access All allow all
> 
> ########################################
> 
> acl ipxx myip xx acl ipxx myip xx acl ipxx myip xx
> 
> 
> 
> #######################################
> 
> tcp_outgoing_address xxxx ipxxx
> 
> tcp_outgoing_address xxxx ipxxx
> 
> 
> 
> tcp_outgoing_address xxxx ipxxx
> 
> 
> 
> tcp_outgoing_address xxxx ipxxx
> 
> 
> 
> #####################################
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> squid -v
> 
> Squid Cache: Version 3.1.10
> 
> configure options:  '--build=i386-redhat-linux-gnu' 
> '--host=i386-redhat-linux-gnu' '--target=i686-redhat-linux-gnu' 
> '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
> '--datadir=/usr/share' '--includedir=/usr/include'
> '--libdir=/usr/lib' '--libexecdir=/usr/libexec' 
> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' 
> '--infodir=/usr/share/info' '--enable-internal-dns' 
> '--disable-strict-error-checking' '--exec_prefix=/usr' 
> '--libexecdir=/usr/lib/squid' '--localstatedir=/var' 
> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
> '--with-logdir=$(localstatedir)/log/squid' 
> '--with-pidfile=$(localstatedir)/run/squid.pid' 
> '--disable-dependency-tracking' '--enable-arp-acl' 
> '--enable-follow-x-forwarded-for' 
> '--enable-auth=basic,digest,ntlm,negotiate' 
> '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain
>
> 
- -NTLM,SASL,DB,POP3,squid_radius_auth'
> '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' 
> '--enable-digest-auth-helpers=password,ldap,eDirectory' 
> '--enable-negotiate-auth-helpers=squid_kerb_auth' 
> '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_
>
> 
group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' 
> '--enable-ident-lookups' '--with-large-files'
> '--enable-linux-netfilter' '--enable-referer-log'
> '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl'
> '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log' 
> '--enable-wccpv2' '--enable-esi' '--with-aio'
> '--with-default-user=squid' '--with-filedescriptors=16384'
> '--with-dl' '--with-openssl' '--with-pthreads'
> 'build_alias=i386-redhat-linux-gnu' 
> 'host_alias=i386-redhat-linux-gnu'
> 'target_alias=i686-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
> --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom 
> -fasynchronous-unwind-tables -fpie' 'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g
> -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
> --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom 
> -fasynchronous-unwind-tables -fpie' 
> --with-squid=/builddir/build/BUILD/squid-3.1.10
> 
> 
> 
> 
> 
> cheers
> 
> 
> 
> 
> _______________________________________________ squid-users mailing
> list squid-users at lists.squid-cache.org 
> http://lists.squid-cache.org/listinfo/squid-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJU51WNAAoJENNXIZxhPexGt2EIAKkQ9qSo2UJ+hc9bz0vLB9aK
FDpA84Y5vh7wu/a1srHjt35CWGTQw1kSHo4C74ibDtdoNMts9BNY6CLGhn/V2u/o
FWHk772XPrAPSIlVrdM5sFBoaZhuzGF4mKH5+isAKGae/+LeDkCgx8ud87YVGq9s
AfnblhnkTKZM1O2kgljTjIUV1T/YyAB2kI6KnzX67JVez8FSmKarZnFlIyoWd8OE
VXCR0xaGYnQfMjOlnzU4LHvNKirHl+YvhU2PFCva1zFWI621DpbZ6wg6jvencJvy
iWxan/yysp8pt7OyxpOeomsnqmetLayIFB9HfqzSxn7JcNFtUIcr3p8B+9E9DaE=
=l5Wh
-----END PGP SIGNATURE-----

More information about the squid-users mailing list