Re: Squid clients inside a firewall

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 28 Jun 1999 23:06:16 +0200

Raul Herbosa wrote:
>
> Hello,
>
> Iīm configuring a squid2.2.STABLE3 web cache inside a NAI (old TIS) firewall
> and my problem is to configure it for receiving in the firewall the real
> client IP or name, instead of the webcache itself. It is needed to audit the
> use of our Internet bandwidth.
>
> Is it possible?

Both yes and no.

The simplest and most reliable (from a network operations point of view,
not accounting/auditing) option is to modify the firewall to get the
client IP address from the request header X-Forwarded-For on requests
from trusted proxy servers.

Another option is to move the caching outside of your firewall.

A third option is to modify the accounting to take into account the
statistics collected in Squids access logs.

The most dangerous option is to run Squid with rewerse NAT to masquerade
as the client when forwarding requests, but this is for sure not an easy
task and is often not possible due to network topology and other
factors. At this time you should not even think on investigating this
unless you fully understands the issues in transparent interception of
TCP traffic, are familar with C-coding and not afraid of making code
modifications both to Squid and the TCP/IP implementation of your kernel
(if at all possible).

> I donīt know if this email address can be used for this kind of questions,
> if it isnīt I apologize for it.

Squid-users is the right forum for such questions. No need to apologize
;-). Squid-users is for discussions around Squid and it's applications,
and this obviously is an application of Squid.

--
Henrik Nordstrom
Spare time Squid hacker
Received on Mon Jun 28 1999 - 15:25:17 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:47:02 MST