Hi, Any suggestions about this problem. Thanks and Best Regards, Saleh > Dears, > > I have setup a transparent proxy with the TPROXY feature and WCCP. > > Below is my squid configuration > > http_port SQUIDIP:3129 tproxy disable-pmtu-discovery=always > > wccp2_router ROUTERIP > wccp_version 2 > wccp2_forwarding_method 2 > wccp2_return_method 2 > wccp2_assignment_method mask > wccp2_service dynamic 87 > wccp2_service_info 87 protocol=tcp flags=src_ip_hash priority=240 ports=80 > wccp2_service dynamic 97 > wccp2_service_info 97 protocol=tcp flags=dst_ip_hash,ports_source > priority=240 ports=80 > > > iptables -t mangle -F > iptables -t mangle -N DIVERT > iptables -t mangle -A DIVERT -j MARK --set-mark 1 > iptables -t mangle -A DIVERT -j ACCEPT > > iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT > iptables -t mangle -A PREROUTING -i eth0 -p tcp ! -s SQUIDIP --dport 80 -j > TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 > > ip rule add fwmark 1 lookup 100 > ip -f inet route add local 0.0.0.0/0 dev eth0 table 100 > > Squid Version: 3.2.0.12 compiled with libcap2 > Kernel : 2.6.37-1 > > It works with out any problem but in whatismyip.com I see the squid real > IP address not the real client IP address, I would greatly appreciate for > any idea to resolve this problem. > > Many thanks and Best Regards, > Saleh > >> 2011/9/19 Khemara Lyn <lin.kh@xxxxxxxxxxxx>: >>> Dear Sir Amos, >>> >>> Thank you for your response and being helpful always. >>> >>> My squid.conf does have that "forwarded_for on" but I think, those >>> public >>> upload/download file-sharing sites (fileserve, rapid share, etc.) are >>> smart >>> enough to detect the header. >>> >>> Or is there a way to find out all the IP ranges used by those sites? >>> I would like to be able to block those IP ranges in WCCP access list so >>> that >>> accesses to those sites will bypass my Squid box. >>> >>> Regards, >>> Khem >>> >>> On 09/20/2011 08:53 AM, Amos Jeffries wrote: >>>> >>>> On Mon, 19 Sep 2011 14:59:54 +0700, Khemara Lyn wrote: >>>>> >>>>> On 09/18/2011 04:38 PM, Saleh Madi wrote: >>>>>> >>>>>> Dears, >>>>>> >>>>>> How could I configure the squid appear the clients real IP address >>>>>> instead of the squid IP address, >>>>>> the problem is that all clients get the same IP address which make >>>>>> problems in file sharing websites like mega upload, rapidshare and >>>>>> others >>>>>> websites >>>>>> we use squid in transparent mode with WCCP , please advice how to >>>>>> resolve this problem. >>>>>> >>>>>> Many thanks, >>>>>> Saleh Madi >>>>>> >>>>>> >>>>>> Hi, >>>>> >>>>> I have the same query but doubt if it is possible at all, esp. with >>>>> WCCP. >>>>> >>>>> What I could do so far is that, I configure the Squid box to have >>>>> multiple IPs and multiple gateways (5 of them) with IPRoute2, "ip >>>>> route". Each time, it could appear as a different IP but still get >>>>> blocked by those file-sharing Web sites as you mentioned. >>>>> >>>>> I would greatly appreciate for any better idea. >>>>> >>>>> Thanks & regards, >>>>> Khem >>>> >>>> >>>> WCCP passes packets unchanged to the Squid box. >>>> >>>> You need two things: >>>> 1) to pass the IP through, using "forwarded_for on". Which permits >>>> Squid >>>> to send the X-Forwarded-For header with Client IP. >>>> 2) the website to be smart enough to make use of the header. Some >>>> sites >>>> do not support or choose not to trust that HTTP header. >>>> >>>> >>>> Alternatively you could setup a transparent proxy with the TPROXY >>>> feature. >>>> Spoofing the client inbound IP on the outbound traffic. This does work >>>> with >>>> WCCP, but is a bit tricky. >>>> http://wiki.squid-cache.org/Features/Tproxy4 >>>> >>>> Amos >>>> >>>> >>> >>> >> >> Maybe you may use a spool of public keys and also use squid >> url_rewrite capabilitie of 2.7 to cache file so this will reduce that >> symptom. How may IP's, how to configure squid is not easy to say, it >> requires analysis but it is a workarround if the X-Forwarded doesnt >> work. >> >> Khem, it is nice to know of you. Please contact me offline. >> >> LD >> http://www.twitter.com/ldlq >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > >
