explicit proxy and iptables

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

explicit proxy and iptables

Vieri
Hi,

I've been using Squid + TPROXY in transparent sslbump mode for quite a while now, but I'd like to use an explicit proxy with user authentication instead.

I have Squid on my first firewall/gateway node, and then I have another gateway (node 2) where all the HTTP requests go through, with multiple ISPs.

In transparent tproxy mode, I can obviously mark packets according to the "real" client src IP addresses and then use, eg., different ISPs based on client src addr.

In the explicit setup, the gateway (node 2) only sees one IP address as HTTP source -- the one on the "first node" with the explicit Squid proxy. I presume that in this case there is NO WAY I can somehow inform the gateway on node 2 of the "real" clent IP addresses?

I can imagine the answer to this silly question, but nonetheless I prefer to ask just to make sure. ;-)

Thanks,

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: explicit proxy and iptables

Matus UHLAR - fantomas
On 27.04.20 15:27, Vieri wrote:

>I've been using Squid + TPROXY in transparent sslbump mode for quite a
> while now, but I'd like to use an explicit proxy with user authentication
> instead.
>
>I have Squid on my first firewall/gateway node, and then I have another
> gateway (node 2) where all the HTTP requests go through, with multiple
> ISPs.
>
>In transparent tproxy mode, I can obviously mark packets according to the
> "real" client src IP addresses and then use, eg., different ISPs based on
> client src addr.
>
>In the explicit setup, the gateway (node 2) only sees one IP address as
> HTTP source -- the one on the "first node" with the explicit Squid proxy.
> I presume that in this case there is NO WAY I can somehow inform the
> gateway on node 2 of the "real" clent IP addresses?

Correct.  However, you can configure first proxy to add proper
X-Forwarded-For address and configure the second proxy to trust the
X-Forwarded-For from the first proxy, so the second proxy can make decision
on how to route the request, based on trusted client's source IP address
passed through X-Forwarded-For header.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users