Hi, Since month I try to get the Client IP spoofing to working but no success, I have goggled all FORUMS in the web but no success, the TPROXY configuration work but the Client IP spoofing doesn't work (kernel: 2.6.37 with debian squeeze and libcap2), Why does this problem occurs with all users. Many of them are complaining about this problem without any solutions. Is there a trick. I need an obvious solution to fix this problem. I hope we can solve it to be helpful to other users. Many thanks and Best Regards, Saleh > On 12/10/11 22:19, nipun_mlist Assam wrote: >> On Wed, Oct 12, 2011 at 11:05 AM, Amos Jeffries<squid3@xxxxxxxxxxxxx> >> wrote: >>> On 12/10/11 17:33, nipun_mlist Assam wrote: >>>> >>>> This may be relevant to this question. >>>> While trying to use squid for transparent proxy (tproxy ) on linux >>>> (kerne 2.6.39 with centos 6.0), I noticed the following >>>> >>>> 1. Client IP spoofing doesn't work (but for our work, this requirement >>>> was a must). >>> >>> In what way? >> >> The root web server was seeing the IP of the squid box, not of the >> client machine for all http requests. I.e. the web server will see >> that the HTTP requests are coming from the squid box. Our requirement >> is that, both the web servers and client machines should not be aware >> of a squid proxy sitting in between and hence they should not see the >> IP of squid box in HTTP related traffics. >> >> squid.conf is as shown below (I am pasting only http_port related >> lines): >> >> . >> . >> http_port 85 tproxy >> http_port 86 ssl-bump cert=/extra/squid/etc/Centos6.0.pem tproxy >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> . >> . >> >> >> IPTABLES was configured as shown below (port 80 traffics are forwarded >> to port 85 where squid "expects" HTTP traffic, and port 443 traffic >> are forwarded to port 86 where "HTTPS" traffic are expected): >> >> iptables -t mangle -N DIVERT >> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >> iptables -t mangle -A DIVERT -j ACCEPT >> ip rule add fwmark 1 lookup 100 >> ip route add local 0.0.0.0/0 dev lo table 100 >> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY >> --tproxy-mark 0x1/0x1 --on-port 85 >> iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY >> --tproxy-mark 0x1/0x1 --on-port 86 >> >> >> >>> >>>> 2. Squid with tproxy doesn't work with HTTPS traffic. >>> >>> In what way? >>> >>> HTTP: >>> http_port 1 tproxy ... >>> >>> HTTPS: >>> https_port 2 tproxy ... >>> >>>> >> >> We cannot use https_port here. Because, we are seeing the traffic from >> squid to the root webserver goes as http traffic after that. > > That is the bug then. Outgoing traffic needs to check the request->flags > to identify tproxy or intercepted. Also checking request->protocol for > PROTO_HTTPS requests to re-encrypt. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.15 > Beta testers wanted for 3.2.0.12 >
