Chris, Thanx for your quick answer. We´ve also tried that, now that you mencion it, we are still trying a few combinations of the following lines. header_access Via deny all / none header_access X-Forwarded-For deny all / none via off / on / deny forwarder_for off / on / deny The best result we´ve got is that is not detecting the proxy server..........but it is still going out with proxy ips. Some conclusion left we are studying are: -Our squid has only one nic, not two like lots of examples here. (eth0 + gre0) -We are using REDIRECT in iptables instead of nat........has anything to do with that? -We are trying transparently (not setting proxy con IE) and forcing it.......results are the same i guess? -----Mensaje original----- De: Chris Robertson [mailto:crobertson@xxxxxxx] Enviado el: Miércoles, 16 de Mayo de 2007 05:36 p.m. Para: squid-users@xxxxxxxxxxxxxxx Asunto: Re: Really transparent proxy Facundo Vilarnovo wrote: > Zul, > What variables are you referring to? We test setting up the proxy ip on the IE. > Pointing to port 3128 using http://www.whatsmyipaddress.com, as a result it says it passes the original source ip address (client's ip), but detects a proxy server. Doing totally "transparent" with wccp, nothing configured on IE, we get the same results. > The point is we are still getting the proxy detected. Using variables like via and XFF, the result of using the XFF and via is that passes the client ip address or don't. While the above is correct... > it's seems to have nothing to do with the problem of the cache being visible or don't. > ...this is not. > Via off XFF off = clients source ip it's shown, proxy detected. > Makes sense. You are still transmitting a X-Forwarded-For header. Just not populating it with data. > Via on XFF on = clients source ip it's not shown (shows proxy ip), proxy not detected. > This is a bit of a mystery. Perhaps the script is being tricked by having a valid XFF and VIA header which don't agree with the client source address. > Tnxs! > Facundo Vilarnovo > In any case, setting the tag "forwarded_for" to "off" in the squid.conf file does not prevent its addition by Squid (see http://www.squid-cache.org/Versions/v2/HEAD/cfgman/forwarded_for.html). Setting "via off" only prevents the instance of Squid where it is set from adding its own Via header. Try using... header_access Via deny all header_access X-Forwarded-For deny all ...and accessing whatsmyipaddress.com. You might have better luck. Chris
