Dears, I have setup a transparent proxy with the TPROXY feature and WCCP. Below is my squid configuration http_port SQUIDIP:3129 tproxy disable-pmtu-discovery=always wccp2_router ROUTERIP wccp_version 2 wccp2_forwarding_method 2 wccp2_return_method 2 wccp2_assignment_method mask wccp2_service dynamic 87 wccp2_service_info 87 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 97 wccp2_service_info 97 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 iptables -t mangle -F iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -i eth0 -p tcp ! -s SQUIDIP --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 ip rule add fwmark 1 lookup 100 ip -f inet route add local 0.0.0.0/0 dev eth0 table 100 Squid Version: 3.2.0.12 compiled with libcap2 Kernel : 2.6.37-1 It works with out any problem but in whatismyip.com I see the squid real IP address not the real client IP address, I would greatly appreciate for any idea to resolve this problem. Many thanks and Best Regards, Saleh > 2011/9/19 Khemara Lyn <lin.kh@xxxxxxxxxxxx>: >> Dear Sir Amos, >> >> Thank you for your response and being helpful always. >> >> My squid.conf does have that "forwarded_for on" but I think, those >> public >> upload/download file-sharing sites (fileserve, rapid share, etc.) are >> smart >> enough to detect the header. >> >> Or is there a way to find out all the IP ranges used by those sites? >> I would like to be able to block those IP ranges in WCCP access list so >> that >> accesses to those sites will bypass my Squid box. >> >> Regards, >> Khem >> >> On 09/20/2011 08:53 AM, Amos Jeffries wrote: >>> >>> On Mon, 19 Sep 2011 14:59:54 +0700, Khemara Lyn wrote: >>>> >>>> On 09/18/2011 04:38 PM, Saleh Madi wrote: >>>>> >>>>> Dears, >>>>> >>>>> How could I configure the squid appear the clients real IP address >>>>> instead of the squid IP address, >>>>> the problem is that all clients get the same IP address which make >>>>> problems in file sharing websites like mega upload, rapidshare and >>>>> others >>>>> websites >>>>> we use squid in transparent mode with WCCP , please advice how to >>>>> resolve this problem. >>>>> >>>>> Many thanks, >>>>> Saleh Madi >>>>> >>>>> >>>>> Hi, >>>> >>>> I have the same query but doubt if it is possible at all, esp. with >>>> WCCP. >>>> >>>> What I could do so far is that, I configure the Squid box to have >>>> multiple IPs and multiple gateways (5 of them) with IPRoute2, "ip >>>> route". Each time, it could appear as a different IP but still get >>>> blocked by those file-sharing Web sites as you mentioned. >>>> >>>> I would greatly appreciate for any better idea. >>>> >>>> Thanks & regards, >>>> Khem >>> >>> >>> WCCP passes packets unchanged to the Squid box. >>> >>> You need two things: >>> 1) to pass the IP through, using "forwarded_for on". Which permits >>> Squid >>> to send the X-Forwarded-For header with Client IP. >>> 2) the website to be smart enough to make use of the header. Some >>> sites >>> do not support or choose not to trust that HTTP header. >>> >>> >>> Alternatively you could setup a transparent proxy with the TPROXY >>> feature. >>> Spoofing the client inbound IP on the outbound traffic. This does work >>> with >>> WCCP, but is a bit tricky. >>> http://wiki.squid-cache.org/Features/Tproxy4 >>> >>> Amos >>> >>> >> >> > > Maybe you may use a spool of public keys and also use squid > url_rewrite capabilitie of 2.7 to cache file so this will reduce that > symptom. How may IP's, how to configure squid is not easy to say, it > requires analysis but it is a workarround if the X-Forwarded doesnt > work. > > Khem, it is nice to know of you. Please contact me offline. > > LD > http://www.twitter.com/ldlq > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > >
