LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-15-2003, 05:33 PM   #1
sailor
LQ Newbie
 
Registered: Oct 2003
Posts: 4

Rep: Reputation: 0
Question SQUID as Httpd-accelerator, 2webservers, transparent routing problem. Pls help!


Hello.

I have read ezine.daemonnews.org/200202/multiweb.html about squid and so, and I got it working with a configuration simulair to that. Except for that I dont use BINDs, Im just using /etc/hosts for resolving the names.

Its just that one issue remains a mystery, and I can't find a solution for it anywhere. Its forwarding the clients IP number.

I can see in the squid logs that internet clientís ip number is coming to squid. But after the squid itís only the squids own IP number that being forwarding. So I can't have any statistics over the sites. And I can't block specific ip's on the web servers etc.

Is there a way to make squid forwarding the clients ip number to the web servers?


OR...

Is there another way to get this working?
The setup i have is like this:
One hardware fiewall/router, one server with linux/squid/apache and one server with IIS.
So its 2 webservers in same network behind ONE IP and changing webserver ports is not an option so that the user have to put port number after url.

The configuration I have now is that firewall/router is transfering all http traffic on port 80 to the squid on the linux server, the squid resolves the hostheader for the domain name its going to and rerouted the traffic to the right webserver.
BUT changes the IP number to SQUIDS local ip.

Is there another way without squid to resolv hostheaders and forward top the right webserver WITHOUT losing the clients IP adress?

Or how do I make SQUID to transfer the clients ip adress?

Please ask me more if you dont understand my english or question or get my setup. I would be very happy if anyone have the time to give me a hint.
I know its possible, its on linux

Thank you in advance.
Regards Sailor
 
Old 10-16-2003, 03:07 AM   #2
Thoreau
Senior Member
 
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167

Rep: Reputation: 45
This has nothing to do with squid. Squid doesn't change iptable firewall settings. And squid can't give you 2 static external IP's when you only have 1. Each server must have it's own external static ip if they need their own static ip.

Your network setup is incorrect, not the proxy server. Using common sense, how does the external box connecting to 164.60.60.2 know that port 80 is going to 10.10.10.3 or 10.10.10.4. It can only go to one ip. And that setting is made via iptables on the proxy box. So you are essentially going through 2 firewalls.
 
Old 10-16-2003, 04:47 AM   #3
sailor
LQ Newbie
 
Registered: Oct 2003
Posts: 4

Original Poster
Rep: Reputation: 0
I'm quite sure it has to do with squid.
I do have compiled the kernel with all network support.
And this is a quote from another guy:
"Squid really makes a new TCP connection to the webserver, so the IP address of Squid shows up at the webserver."
But there should be away to make squid transfer the ip with the rest of headers etc.

The externel box dont, squid know if its going to 10.10.10.3 or 10.10.10.4. Quz its reading the headers. The domainname/url.

Anyone else have some solution?
Does ipchain read and transfer headers?
 
Old 10-16-2003, 06:09 AM   #4
ncorreia
Member
 
Registered: Apr 2003
Distribution: Red Hat
Posts: 37

Rep: Reputation: 15
Hi,

What you want, if I got it right, is a Transparent proxy intead of Squid doing NAT.

You have to configure Squid for transparent mode and change your iptables configuration.

Check here for more details:

http://linux.oreillynet.com/pub/a/li...ent_proxy.html

Hope it helps.

Bye
 
Old 10-16-2003, 06:19 AM   #5
sailor
LQ Newbie
 
Registered: Oct 2003
Posts: 4

Original Poster
Rep: Reputation: 0
Yes, this is what I do.

My squid.conf does include the lines:

httpd_accel_host virtual
httpd_accel_port 80
(or whatever port you want to proxy)
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

But this is what i have problem with.
I can see on the url you pasted, they mentioned the problem.
Here it is:

You can lose the source address of the request if the proxy box isn't also the traffic interceptor. You can correct this by using destination NAT instead of packet redirection, and making sure the proxy routes all traffic back through the intercepting box, including traffic to its clients. (Alternatively, ensure that the proxy is the intercepting box.)

Now I have to find what this means...
 
Old 10-16-2003, 08:45 AM   #6
ncorreia
Member
 
Registered: Apr 2003
Distribution: Red Hat
Posts: 37

Rep: Reputation: 15
Hi again,

First of all, you have got to isolate the problem. My opinion is that you have a problem in packet forwarding, not in squid. Can you check the logs in the machine running squid? What ip's do you see there? The clients' ones or the internal interface address of your firewall? The problem could start there...
Also i see you have not mentioned anything about the way you configured iptables... did you configured iptables as in the example?
 
Old 10-16-2003, 10:08 AM   #7
sailor
LQ Newbie
 
Registered: Oct 2003
Posts: 4

Original Poster
Rep: Reputation: 0
Yes, the logfiles in /var/log/squid/access shows all clients real ip adresses. So , so far all is good.
All I have done to iptables for now is:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

But that dont seems enouth. Before I dident use iptables since i changed squidport to 80.

So yes, I think I have some wrong configuration in my iptables.
Dont know how set them up now.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
transparent routing (IDS) ilnli Linux - Networking 5 06-28-2005 01:12 PM
transparent proxy with squid problem philipph Linux - Networking 5 04-19-2004 09:03 AM
pls pls pls help me ! i'm tired with httpd config on fedora apache 2.0.48 AngelOfTheDamn Fedora 0 01-24-2004 05:12 PM
transparent squid problem Steave Linux - Networking 7 05-05-2003 12:51 AM
routing problem - pls help Z@host Linux - Networking 4 04-16-2003 01:13 PM


All times are GMT -5. The time now is 12:19 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration