Hi All

I currently have the set up as shown below:

[Internet] - [Gateway Appliance] - [Squid Server] - Client Workstations.

I have configured squid 3.1.6 on Ubuntu 10.10 and have got it working.

However, When I add the line:

forwarded_for transparent

The HTTP Header should remain unaltered (This is my understanding anyway).

What I want to achieve is that when a Client computer connects via the Squid server, it is routed via the Gateway Appliance and out onto the internet. But using the forwarded_for transparent I want the content filter list, to show the source computer as a client IP address and NOT the IP of the squid server.

Is this possible, if so could someone point me in the right direction onto getting it working.

Many Thanks,

BlackFish

You are interpreting the docs wrong. The directive is all about the x-forwarded-for header, adding, removing, replacing or ignoring. It has nothing at all to do with the actual ip address used. Squid is a proxy, so all traffic leaving it will come from it's address. that's how proxies work.

What issue are you trying to deal with where this would be desirable?

The issue I am trying to overcome is this.

I have 2 sites linked via VPN to a central network. What I want to achieve is for Web Traffic to route via the VPN onto the central network, so it is protected by the UTM.

I've found that routing the traffic via the Squid Proxy works, passing an iptables command on the VPN router to redirect via the UTM just loads the web interface for the UTM. This is not the case when routing through squid.

But the problem I then have to overcome, is the computers on site 1 and 2 need different security policies, which is done on the UTM. But the problem is that when the traffic routes through the squid server, the source IP address changes from the Client IP to the squid server IP. Which causes the Security Policies not to work.

What would you suggest?

I *think* I would suggest making the configuration of the squid box comply with the relevant sites security policies. As the traffic passes through the proxy it becomes sanctioned, special traffic, and should be able to treated differently by other security appliances. It depends what kind of UTM you're referring to but it's possible they themselves may be able to use the x-forwarded-for headers?

ANother angle may be to look at the tcp_outgoing_address option, which appears to let you set arbitrary source addresses for the outgoing connection. These are statically defined, and would need to route to the squid box itself, but you could have two different addresses leaving the box, one for each site etc.

1 members found this post helpful.

Thanks acid kewpie

The tcp_outgoing_address option would suit my requirements perfectly! I can then as the acl of each subnet the sites are on. Then use the tcp_outgoing_address setting to define which IP to route the traffic from, and configure the UTM to pick up the seperate IP Addresses. Thanks for pointing me in the right direction

BlackFish