[squid-users] many vms behind router to same proxy ips problems !

Yuri Voinov yvoinov at gmail.com
Fri Feb 20 16:25:07 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You want well-known thing in operating systems world. In Solaris it
known as ip_strict_dst_multihoming.

It divides in some levels:

1. On OS IP-stack's level must be specified strict dst respondes. I'e,
when request comes from one NIC - respond must be from the same NIC.
2. External routers must have static routes for outgoing packets.
3. Service on server must have capability to bind listeners/responders
to specified NIC's.

Some years ago I've built the similar configuration with BIND DNS
server on server with two different NIC's binded on two different ISP
and supported two independent domain zones. :)

So, finally - your can dig on this direction (see above).

21.02.15 8:15, snakeeyes пишет:
> Not yet , I know ip routing :)
> 
> 
> Also I searched but didn’t fins a useful thing about my issue
> 
> Can u guide more plz ?
> 
> -----Original Message----- From: squid-users
> [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of
> Yuri Voinov Sent: Friday, February 20, 2015 7:41 AM To:
> squid-users at lists.squid-cache.org Subject: Re: [squid-users] many
> vms behind router to same proxy ips problems !
> 
> This is not squid problem, man.
> 
> Did you hear about TCP routing?
> 
> This is the thing your need.
> 
> 21.02.15 7:37, snakeeyes пишет:
>> Hi ,
> 
> 
> 
>> I have  squid  with many ips already installed with and
>> configured well with tcp_outgoing directive.
> 
> 
> 
>> The provlem that I face is ;
> 
>> When many pc behind a router with same public ip use the proxy
>> ips.
> 
> 
> 
>> Assume I have 2 pcs
> 
>> Pc1===> Using proxy ip 1.1.1.1
> 
>> Pc2===>using proxy 1.1.1.2
> 
>> Note that 1.1.1.1 & 1.1.1.2 are just for example and we assume
>> those ips are existed on the main server squid.
> 
> 
> 
>> Pc1 & pc2 ips are 192.168.1.100 & 192.168.1.101 and their public
>> ip is 31.220.243.0
> 
> 
> 
> 
> 
>> I go to pc1 and type "whatismyipaddrss.com "  I see 1.1.1.1
> 
> 
> 
>> Then I go to pc2 and type "whatismyipaddrss.com "  I see 2.2.2.2
> 
>> Now lets go back to pc1 and refresh the page
>> whatismyipaddrss.com ===?> then I see 2.2.2.2 not 1.1.1.1
> 
> 
> 
>> This is my problem.
> 
> 
> 
>> Why sometimes after somefrefresh I get the other ip not ip I put
>> in in browser ??
> 
> 
> 
>> Could it because same pcs has same public ip ??
> 
> 
> 
> 
> 
>> I tried to put por for each ip like 1.1.1.1:1333 and 2.2.2.2:1222
>> .... but same resukt , the ip keep changes
> 
> 
> 
>> Also I disabled cacing on squid but no luck .
> 
> 
> 
>> Is that a natural thing ?
> 
> 
> 
>> Or squid can be optimized ?
> 
> 
> 
>> [root at dbmedia ~]# cat /etc/squid/squid.conf
> 
>> # Lockdown Procedures
> 
>> auth_param basic program /usr/lib/squid/ncsa_auth 
>> /etc/squid/squid_passwd
> 
>> acl ncsa_users proxy_auth REQUIRED
> 
>> http_access allow ncsa_users
> 
>> #
> 
>> #
> 
>> # Recommended minimum configuration:
> 
>> #
> 
>> acl manager proto cache_object
> 
>> acl localhost src 127.0.0.1/32 ::1
> 
>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> 
> 
> 
>> # Example rule allowing access from your local networks.
> 
>> # Adapt to list your (internal) IP networks from where browsing
> 
>> # should be allowed
> 
>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal 
>> network
> 
>> acl localnet src 172.16.0.0/12  # RFC1918 possible internal
>> network
> 
>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal
>> network
> 
>> acl localnet src fc00::/7       # RFC 4193 local private network 
>> range
> 
>> acl localnet src fe80::/10      # RFC 4291 link-local (directly 
>> plugged) machines
> 
> 
> 
>> acl SSL_ports port 443
> 
>> acl Safe_ports port 80          # http
> 
>> acl Safe_ports port 21          # ftp
> 
>> acl Safe_ports port 443         # https
> 
>> acl Safe_ports port 70          # gopher
> 
>> acl Safe_ports port 210         # wais
> 
>> acl Safe_ports port 1025-65535  # unregistered ports
> 
>> acl Safe_ports port 280         # http-mgmt
> 
>> acl Safe_ports port 488         # gss-http
> 
>> acl Safe_ports port 591         # filemaker
> 
>> acl Safe_ports port 777         # multiling http
> 
>> acl CONNECT method CONNECT
> 
> 
> 
>> #
> 
>> # Recommended minimum Access Permission configuration:
> 
>> #
> 
>> # Only allow cachemgr access from localhost
> 
>> http_access allow manager localhost
> 
>> http_access deny manager
> 
> 
> 
>> # Deny requests to certain unsafe ports
> 
>> http_access deny !Safe_ports
> 
> 
> 
>> # Deny CONNECT to other than secure SSL ports
> 
>> http_access deny CONNECT !SSL_ports
> 
> 
> 
>> # We strongly recommend the following be uncommented to protect 
>> innocent
> 
>> # web applications running on the proxy server who think the
>> only
> 
>> # one who can access services on "localhost" is a local user
> 
>> #http_access deny to_localhost
> 
> 
> 
>> #
> 
>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> 
>> #
> 
> 
> 
>> # Example rule allowing access from your local networks.
> 
>> # Adapt localnet in the ACL section to list your (internal) IP 
>> networks
> 
>> # from where browsing should be allowed
> 
>> http_access allow localnet
> 
>> http_access allow localhost
> 
> 
> 
>> # And finally deny all other access to this proxy
> 
>> http_access deny all
> 
> 
> 
>> # Squid normally listens to port 3128
> 
>> http_port 1111
> 
>> http_port xxx.27.65:1165
> 
>> http_port xx.27.68:1168
> 
>> # We recommend you to use at least the following line.
> 
>> hierarchy_stoplist cgi-bin ?
> 
> 
> 
>> # Uncomment and adjust the following to add a disk cache
>> directory.
> 
>> #cache_dir ufs /var/spool/squid 100 16 256
> 
>> #cache_dir null
> 
>> cache deny all
> 
>> # Leave coredumps in the first cache dir
> 
>> coredump_dir /var/spool/squid
> 
> 
> 
>> # Add any of your own refresh_pattern entries above these.
> 
>> refresh_pattern ^ftp:           1440    20%     10080
> 
>> refresh_pattern ^gopher:        1440    0%      1440
> 
>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> 
>> refresh_pattern .               0       20%     4320
> 
>> ###############################
> 
>> forwarded_for off
> 
>> request_header_access Allow allow all
> 
>> request_header_access Authorization allow all
> 
>> request_header_access WWW-Authenticate allow all
> 
>> request_header_access Proxy-Authorization allow all
> 
>> request_header_access Proxy-Authenticate allow all
> 
>> request_header_access Cache-Control allow all
> 
>> request_header_access Content-Encoding allow all
> 
>> request_header_access Content-Length allow all
> 
>> request_header_access Content-Type allow all
> 
>> request_header_access Date allow all
> 
>> request_header_access Expires allow all
> 
>> request_header_access Host allow all
> 
>> request_header_access If-Modified-Since allow all
> 
>> request_header_access Last-Modified allow all
> 
>> request_header_access Location allow all
> 
>> request_header_access Pragma allow all
> 
>> request_header_access Accept allow all
> 
>> request_header_access Accept-Charset allow all
> 
>> request_header_access Accept-Encoding allow all
> 
>> request_header_access Accept-Language allow all
> 
>> request_header_access Content-Language allow all
> 
>> request_header_access Mime-Version allow all
> 
>> request_header_access Retry-After allow all
> 
>> request_header_access Title allow all
> 
>> request_header_access Connection allow all
> 
>> request_header_access Proxy-Connection allow all
> 
>> request_header_access User-Agent allow all
> 
>> request_header_access Cookie allow all
> 
>> request_header_access X-Forwarded-For deny all
> 
>> request_header_access Via deny all
> 
>> request_header_access All allow all
> 
>> ########################################
> 
>> acl ipxx myip xx acl ipxx myip xx acl ipxx myip xx
> 
> 
> 
>> #######################################
> 
>> tcp_outgoing_address xxxx ipxxx
> 
>> tcp_outgoing_address xxxx ipxxx
> 
> 
> 
>> tcp_outgoing_address xxxx ipxxx
> 
> 
> 
>> tcp_outgoing_address xxxx ipxxx
> 
> 
> 
>> #####################################
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>> squid -v
> 
>> Squid Cache: Version 3.1.10
> 
>> configure options:  '--build=i386-redhat-linux-gnu' 
>> '--host=i386-redhat-linux-gnu' '--target=i686-redhat-linux-gnu' 
>> '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' 
>> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' 
>> '--datadir=/usr/share' '--includedir=/usr/include' 
>> '--libdir=/usr/lib' '--libexecdir=/usr/libexec' 
>> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' 
>> '--infodir=/usr/share/info' '--enable-internal-dns' 
>> '--disable-strict-error-checking' '--exec_prefix=/usr' 
>> '--libexecdir=/usr/lib/squid' '--localstatedir=/var' 
>> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
>> '--with-logdir=$(localstatedir)/log/squid' 
>> '--with-pidfile=$(localstatedir)/run/squid.pid' 
>> '--disable-dependency-tracking' '--enable-arp-acl' 
>> '--enable-follow-x-forwarded-for' 
>> '--enable-auth=basic,digest,ntlm,negotiate' 
>> '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-
>>
>> 
domain
> 
> 
> -NTLM,SASL,DB,POP3,squid_radius_auth'
>> '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' 
>> '--enable-digest-auth-helpers=password,ldap,eDirectory' 
>> '--enable-negotiate-auth-helpers=squid_kerb_auth' 
>> '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,w
>>
>> 
binfo_
> 
> 
> group' '--enable-cache-digests'
> '--enable-cachemgr-hostname=localhost'
>> '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' 
>> '--enable-ident-lookups' '--with-large-files' 
>> '--enable-linux-netfilter' '--enable-referer-log' 
>> '--enable-removal-policies=heap,lru' '--enable-snmp'
>> '--enable-ssl' '--enable-storeio=aufs,diskd,ufs'
>> '--enable-useragent-log' '--enable-wccpv2' '--enable-esi'
>> '--with-aio' '--with-default-user=squid'
>> '--with-filedescriptors=16384' '--with-dl' '--with-openssl'
>> '--with-pthreads' 'build_alias=i386-redhat-linux-gnu' 
>> 'host_alias=i386-redhat-linux-gnu' 
>> 'target_alias=i686-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall 
>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
>> --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom 
>> -fasynchronous-unwind-tables -fpie' 'LDFLAGS=-pie' 'CXXFLAGS=-O2
>> -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
>> -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686
>> -mtune=atom -fasynchronous-unwind-tables -fpie' 
>> --with-squid=/builddir/build/BUILD/squid-3.1.10
> 
> 
> 
> 
> 
>> cheers
> 
> 
> 
> 
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org 
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> _______________________________________________ squid-users mailing
> list squid-users at lists.squid-cache.org 
> http://lists.squid-cache.org/listinfo/squid-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJU51/jAAoJENNXIZxhPexGv3sH/3iTphx+a2qq1w1oP5FyqGaW
L/Xmsu+f/2TDQIF7lnUIQBh8W7yDSD9kW7H7ucT3HEGgJKlw7bll/PZPgqQsj1fR
Q3wn7bY7b6ez5hoHtswUmf6SktA8zG3eTOv0xOf7afOrjzI9jlm+v6MBVCZ4qJT7
wFsTDoFFxjNnSq3wA6k83bidA3kmY7SmCq+XjGw90GNlp4IYdFK94wz61lkgfB1+
pgE6tJNftZlD4Owf22wvn62xUMdDqlhYA72wK4lyopXTg4PtJUVIGXsZ5Lyo+yjT
4xPyIPrAJXqMGC8Miu+K9DUEXkHTZcce1EmACfm2NTlIo5cIxFSQoYsEqC5uQMg=
=O5ER
-----END PGP SIGNATURE-----


More information about the squid-users mailing list