SQUID as Httpd-accelerator, 2webservers, transparent routing problem. Pls help!
I have read ezine.daemonnews.org/200202/multiweb.html about squid and so, and I got it working with a configuration simulair to that. Except for that I dont use BINDs, Im just using /etc/hosts for resolving the names.
Its just that one issue remains a mystery, and I can't find a solution for it anywhere. Its forwarding the clients IP number.
I can see in the squid logs that internet clientís ip number is coming to squid. But after the squid itís only the squids own IP number that being forwarding. So I can't have any statistics over the sites. And I can't block specific ip's on the web servers etc.
Is there a way to make squid forwarding the clients ip number to the web servers?
Is there another way to get this working?
The setup i have is like this:
One hardware fiewall/router, one server with linux/squid/apache and one server with IIS.
So its 2 webservers in same network behind ONE IP and changing webserver ports is not an option so that the user have to put port number after url.
The configuration I have now is that firewall/router is transfering all http traffic on port 80 to the squid on the linux server, the squid resolves the hostheader for the domain name its going to and rerouted the traffic to the right webserver.
BUT changes the IP number to SQUIDS local ip.
Is there another way without squid to resolv hostheaders and forward top the right webserver WITHOUT losing the clients IP adress?
Or how do I make SQUID to transfer the clients ip adress?
Please ask me more if you dont understand my english or question or get my setup. I would be very happy if anyone have the time to give me a hint.
I know its possible, its on linux ;)
Thank you in advance.
This has nothing to do with squid. Squid doesn't change iptable firewall settings. And squid can't give you 2 static external IP's when you only have 1. Each server must have it's own external static ip if they need their own static ip.
Your network setup is incorrect, not the proxy server. Using common sense, how does the external box connecting to 126.96.36.199 know that port 80 is going to 10.10.10.3 or 10.10.10.4. It can only go to one ip. And that setting is made via iptables on the proxy box. So you are essentially going through 2 firewalls.
I'm quite sure it has to do with squid.
I do have compiled the kernel with all network support.
And this is a quote from another guy:
"Squid really makes a new TCP connection to the webserver, so the IP address of Squid shows up at the webserver."
But there should be away to make squid transfer the ip with the rest of headers etc.
The externel box dont, squid know if its going to 10.10.10.3 or 10.10.10.4. Quz its reading the headers. The domainname/url.
Anyone else have some solution?
Does ipchain read and transfer headers?
What you want, if I got it right, is a Transparent proxy intead of Squid doing NAT.
You have to configure Squid for transparent mode and change your iptables configuration.
Check here for more details:
Hope it helps.
Yes, this is what I do.
My squid.conf does include the lines:
(or whatever port you want to proxy)
But this is what i have problem with.
I can see on the url you pasted, they mentioned the problem.
Here it is:
You can lose the source address of the request if the proxy box isn't also the traffic interceptor. You can correct this by using destination NAT instead of packet redirection, and making sure the proxy routes all traffic back through the intercepting box, including traffic to its clients. (Alternatively, ensure that the proxy is the intercepting box.)
Now I have to find what this means...
First of all, you have got to isolate the problem. My opinion is that you have a problem in packet forwarding, not in squid. Can you check the logs in the machine running squid? What ip's do you see there? The clients' ones or the internal interface address of your firewall? The problem could start there...
Also i see you have not mentioned anything about the way you configured iptables... did you configured iptables as in the example?
Yes, the logfiles in /var/log/squid/access shows all clients real ip adresses. So , so far all is good.
All I have done to iptables for now is:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
But that dont seems enouth. Before I dident use iptables since i changed squidport to 80.
So yes, I think I have some wrong configuration in my iptables.
Dont know how set them up now.
|All times are GMT -5. The time now is 03:07 PM.|