[squid-users] many vms behind router to same proxy ips problems !
Yuri Voinov
yvoinov at gmail.com
Fri Feb 20 15:41:02 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is not squid problem, man.
Did you hear about TCP routing?
This is the thing your need.
21.02.15 7:37, snakeeyes пишет:
> Hi ,
>
>
>
> I have squid with many ips already installed with and configured
> well with tcp_outgoing directive.
>
>
>
> The provlem that I face is ;
>
> When many pc behind a router with same public ip use the proxy
> ips.
>
>
>
> Assume I have 2 pcs
>
> Pc1===> Using proxy ip 1.1.1.1
>
> Pc2===>using proxy 1.1.1.2
>
> Note that 1.1.1.1 & 1.1.1.2 are just for example and we assume
> those ips are existed on the main server squid.
>
>
>
> Pc1 & pc2 ips are 192.168.1.100 & 192.168.1.101 and their public ip
> is 31.220.243.0
>
>
>
>
>
> I go to pc1 and type "whatismyipaddrss.com " I see 1.1.1.1
>
>
>
> Then I go to pc2 and type "whatismyipaddrss.com " I see 2.2.2.2
>
> Now lets go back to pc1 and refresh the page whatismyipaddrss.com
> ===?> then I see 2.2.2.2 not 1.1.1.1
>
>
>
> This is my problem.
>
>
>
> Why sometimes after somefrefresh I get the other ip not ip I put in
> in browser ??
>
>
>
> Could it because same pcs has same public ip ??
>
>
>
>
>
> I tried to put por for each ip like 1.1.1.1:1333 and 2.2.2.2:1222
> .... but same resukt , the ip keep changes
>
>
>
> Also I disabled cacing on squid but no luck .
>
>
>
> Is that a natural thing ?
>
>
>
> Or squid can be optimized ?
>
>
>
> [root at dbmedia ~]# cat /etc/squid/squid.conf
>
> # Lockdown Procedures
>
> auth_param basic program /usr/lib/squid/ncsa_auth
> /etc/squid/squid_passwd
>
> acl ncsa_users proxy_auth REQUIRED
>
> http_access allow ncsa_users
>
> #
>
> #
>
> # Recommended minimum configuration:
>
> #
>
> acl manager proto cache_object
>
> acl localhost src 127.0.0.1/32 ::1
>
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>
>
>
> # Example rule allowing access from your local networks.
>
> # Adapt to list your (internal) IP networks from where browsing
>
> # should be allowed
>
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal
> network
>
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal
> network
>
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal
> network
>
> acl localnet src fc00::/7 # RFC 4193 local private network
> range
>
> acl localnet src fe80::/10 # RFC 4291 link-local (directly
> plugged) machines
>
>
>
> acl SSL_ports port 443
>
> acl Safe_ports port 80 # http
>
> acl Safe_ports port 21 # ftp
>
> acl Safe_ports port 443 # https
>
> acl Safe_ports port 70 # gopher
>
> acl Safe_ports port 210 # wais
>
> acl Safe_ports port 1025-65535 # unregistered ports
>
> acl Safe_ports port 280 # http-mgmt
>
> acl Safe_ports port 488 # gss-http
>
> acl Safe_ports port 591 # filemaker
>
> acl Safe_ports port 777 # multiling http
>
> acl CONNECT method CONNECT
>
>
>
> #
>
> # Recommended minimum Access Permission configuration:
>
> #
>
> # Only allow cachemgr access from localhost
>
> http_access allow manager localhost
>
> http_access deny manager
>
>
>
> # Deny requests to certain unsafe ports
>
> http_access deny !Safe_ports
>
>
>
> # Deny CONNECT to other than secure SSL ports
>
> http_access deny CONNECT !SSL_ports
>
>
>
> # We strongly recommend the following be uncommented to protect
> innocent
>
> # web applications running on the proxy server who think the only
>
> # one who can access services on "localhost" is a local user
>
> #http_access deny to_localhost
>
>
>
> #
>
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>
> #
>
>
>
> # Example rule allowing access from your local networks.
>
> # Adapt localnet in the ACL section to list your (internal) IP
> networks
>
> # from where browsing should be allowed
>
> http_access allow localnet
>
> http_access allow localhost
>
>
>
> # And finally deny all other access to this proxy
>
> http_access deny all
>
>
>
> # Squid normally listens to port 3128
>
> http_port 1111
>
> http_port xxx.27.65:1165
>
> http_port xx.27.68:1168
>
> # We recommend you to use at least the following line.
>
> hierarchy_stoplist cgi-bin ?
>
>
>
> # Uncomment and adjust the following to add a disk cache
> directory.
>
> #cache_dir ufs /var/spool/squid 100 16 256
>
> #cache_dir null
>
> cache deny all
>
> # Leave coredumps in the first cache dir
>
> coredump_dir /var/spool/squid
>
>
>
> # Add any of your own refresh_pattern entries above these.
>
> refresh_pattern ^ftp: 1440 20% 10080
>
> refresh_pattern ^gopher: 1440 0% 1440
>
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>
> refresh_pattern . 0 20% 4320
>
> ###############################
>
> forwarded_for off
>
> request_header_access Allow allow all
>
> request_header_access Authorization allow all
>
> request_header_access WWW-Authenticate allow all
>
> request_header_access Proxy-Authorization allow all
>
> request_header_access Proxy-Authenticate allow all
>
> request_header_access Cache-Control allow all
>
> request_header_access Content-Encoding allow all
>
> request_header_access Content-Length allow all
>
> request_header_access Content-Type allow all
>
> request_header_access Date allow all
>
> request_header_access Expires allow all
>
> request_header_access Host allow all
>
> request_header_access If-Modified-Since allow all
>
> request_header_access Last-Modified allow all
>
> request_header_access Location allow all
>
> request_header_access Pragma allow all
>
> request_header_access Accept allow all
>
> request_header_access Accept-Charset allow all
>
> request_header_access Accept-Encoding allow all
>
> request_header_access Accept-Language allow all
>
> request_header_access Content-Language allow all
>
> request_header_access Mime-Version allow all
>
> request_header_access Retry-After allow all
>
> request_header_access Title allow all
>
> request_header_access Connection allow all
>
> request_header_access Proxy-Connection allow all
>
> request_header_access User-Agent allow all
>
> request_header_access Cookie allow all
>
> request_header_access X-Forwarded-For deny all
>
> request_header_access Via deny all
>
> request_header_access All allow all
>
> ########################################
>
> acl ipxx myip xx acl ipxx myip xx acl ipxx myip xx
>
>
>
> #######################################
>
> tcp_outgoing_address xxxx ipxxx
>
> tcp_outgoing_address xxxx ipxxx
>
>
>
> tcp_outgoing_address xxxx ipxxx
>
>
>
> tcp_outgoing_address xxxx ipxxx
>
>
>
> #####################################
>
>
>
>
>
>
>
>
>
>
>
> squid -v
>
> Squid Cache: Version 3.1.10
>
> configure options: '--build=i386-redhat-linux-gnu'
> '--host=i386-redhat-linux-gnu' '--target=i686-redhat-linux-gnu'
> '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
> '--datadir=/usr/share' '--includedir=/usr/include'
> '--libdir=/usr/lib' '--libexecdir=/usr/libexec'
> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info' '--enable-internal-dns'
> '--disable-strict-error-checking' '--exec_prefix=/usr'
> '--libexecdir=/usr/lib/squid' '--localstatedir=/var'
> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
> '--with-logdir=$(localstatedir)/log/squid'
> '--with-pidfile=$(localstatedir)/run/squid.pid'
> '--disable-dependency-tracking' '--enable-arp-acl'
> '--enable-follow-x-forwarded-for'
> '--enable-auth=basic,digest,ntlm,negotiate'
> '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain
>
>
- -NTLM,SASL,DB,POP3,squid_radius_auth'
> '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth'
> '--enable-digest-auth-helpers=password,ldap,eDirectory'
> '--enable-negotiate-auth-helpers=squid_kerb_auth'
> '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_
>
>
group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
> '--enable-ident-lookups' '--with-large-files'
> '--enable-linux-netfilter' '--enable-referer-log'
> '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl'
> '--enable-storeio=aufs,diskd,ufs' '--enable-useragent-log'
> '--enable-wccpv2' '--enable-esi' '--with-aio'
> '--with-default-user=squid' '--with-filedescriptors=16384'
> '--with-dl' '--with-openssl' '--with-pthreads'
> 'build_alias=i386-redhat-linux-gnu'
> 'host_alias=i386-redhat-linux-gnu'
> 'target_alias=i686-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
> --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom
> -fasynchronous-unwind-tables -fpie' 'LDFLAGS=-pie' 'CXXFLAGS=-O2 -g
> -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
> --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom
> -fasynchronous-unwind-tables -fpie'
> --with-squid=/builddir/build/BUILD/squid-3.1.10
>
>
>
>
>
> cheers
>
>
>
>
> _______________________________________________ squid-users mailing
> list squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJU51WNAAoJENNXIZxhPexGt2EIAKkQ9qSo2UJ+hc9bz0vLB9aK
FDpA84Y5vh7wu/a1srHjt35CWGTQw1kSHo4C74ibDtdoNMts9BNY6CLGhn/V2u/o
FWHk772XPrAPSIlVrdM5sFBoaZhuzGF4mKH5+isAKGae/+LeDkCgx8ud87YVGq9s
AfnblhnkTKZM1O2kgljTjIUV1T/YyAB2kI6KnzX67JVez8FSmKarZnFlIyoWd8OE
VXCR0xaGYnQfMjOlnzU4LHvNKirHl+YvhU2PFCva1zFWI621DpbZ6wg6jvencJvy
iWxan/yysp8pt7OyxpOeomsnqmetLayIFB9HfqzSxn7JcNFtUIcr3p8B+9E9DaE=
=l5Wh
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list