Hi, Amos > Ah, you need the follow_x_forwarded_for feature on Proxy(1). That's right, I know about that, but I'd like to use "source address spoofing"... Just only following enables my anxiety. replacing In tunnelStart()#tunnel.cc > sock = comm_openex(SOCK_STREAM, > IPPROTO_TCP, > temp, > COMM_NONBLOCKING, > getOutgoingTOS(request), > url); with > if (request->flags.spoof_client_ip) { > sock = comm_openex(SOCK_STREAM, > IPPROTO_TCP, > temp, > (COMM_NONBLOCKING|COMM_TRANSPARENT), > getOutgoingTOS(request), > url); > } else { > sock = comm_openex(SOCK_STREAM, > IPPROTO_TCP, > temp, > COMM_NONBLOCKING, > getOutgoingTOS(request), > url); > } I think it has no harmful effects. I long for that. Would you modify that ? Sincerely, -- Mikio Kishi On Sun, Apr 12, 2009 at 1:25 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > Mikio Kishi wrote: >> >> Hi, Amos >> >>> What exactly are you trying to achieve with this? >> >> I'm really sorry... It's a little bit difficult to explain... >> The following is the more detail. >> >> ----------------------- >> The Internet >> ---+------------ >> | >> --------+-+------------- >> | >> +-----+-------+ >> | squid | (1) >> | (tcp/8080) | >> +-----+-------+ >> |.2 >> --------+-+---------------- 10.0.0.0/24 >> |.1 >> +--+--+ >> | R | >> +--+--+ >> |.1 >> -------+--+---------------- 192.168.0.0/24 >> |.2 >> +----+--------+ >> | squid + | >> | tproxy | (2) >> | (tcp/8080) | >> +----+--------+ >> |.2 >> -------+--+---------------- 192.168.1.0/24 >> |.3 >> +--+-----+ >> | client | >> +--------+ >> >> - The demand >> - The client must use proxy(2) using tcp/8080 >> - by browser settings >> HTTP -> proxy(2) (192.168.1.2:8080) >> HTTPS -> proxy(2) (192.168.1.2:8080) >> - proxy(2) don't have to be "transparent" >> - The proxy(2)'s parent proxy must be proxy(1) >> using cache_peer >> - Both proxy(1) and proxy(2) must record >> "client original source address" in access log for security action >> !!! It's most important !!! >> >> I think that I have to use tproxy(not transparent) >> to achieve above demands... what do you think ? > > Ah, you need the follow_x_forwarded_for feature on Proxy(1). > > proxy(2) will always be trying to set X-Forwarded-For header indicating the > client IP. Which gets passed to proxy(1). > > By enabling follow_x_forwarded_for and log_uses_indirect_ip. proxy(1) should > log the original client IP. > > http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/ > http://www.squid-cache.org/Doc/config/log_uses_indirect_client/ > > > Amos > >> >> Sincerely, >> -- >> Mikio Kishi >> >> On Thu, Apr 9, 2009 at 4:54 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> >> wrote: >>> >>> Mikio Kishi wrote: >>>> >>>> Hi, Amos >>>> >>>>> HTTPS encrypted traffic cannot be intercepted. >>>> >>>> Yes, I know that. but, in this case, not "transparent". >>>> >>>>> (1) (2) >>>>> >>>>> | | >>>>> +------+ | +------------+ | +---------+ >>>>> |WWW +---+ | | +----+ WWW | >>>>> |Client|.2 | .1| squid |.1 | .2| Server | >>>>> +------+ +-----+ + tproxy +----+ |(tcp/443)| >>>>> | | (tcp/8080) | | |(tcp/80) | >>>>> | +------------+ | +---------+ >>>>> 192.168.0.0/24 10.0.0.0/24 >>>>> >>>>> (1) 192.168.0.2 ------> 192.168.0.1:8080 >>>>> ^^^^^ >>>>> (2) 192.168.0.2 ------> 10.0.0.2:443 >>>>> ^^^ >>>> >>>> Just only thing I'd like to do is "source address spoofing" >>>> using tproxy. >>>> >>>> Does that make sense ? >>> >>> No. Squid is perfectly capable of making HTTPS links outbound without >>> tproxy. The far end only knows that some client connected. >>> >>> HTTPS cannot be spoofed, its part of the security involved with the SSL >>> layer. >>> >>> What exactly are you trying to achieve with this? >>> >>> Amos >>> -- >>> Please be using >>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 >>> Current Beta Squid 3.1.0.6 >>> > > > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 > Current Beta Squid 3.1.0.6 >