Saleh, I locally fixed the issue for my work. Squid has a small bug there, it doesn't spoof the client IP. I will send you the changed file. Regards, Nipun On Wed, Oct 12, 2011 at 6:36 PM, Saleh Madi <saleh.madi@xxxxxxxxx> wrote: > Hi, > > Since month I try to get the Client IP spoofing to working but no success, > I have goggled all FORUMS in the web but no success, the TPROXY > configuration work but the Client IP spoofing doesn't work (kernel: 2.6.37 > with debian squeeze and libcap2), Why does this problem occurs with all > users. Many of them are complaining about this problem without any > solutions. > Is there a trick. I need an obvious solution to fix this problem. > I hope we can solve it to be helpful to other users. > > Many thanks and Best Regards, > Saleh > > >> On 12/10/11 22:19, nipun_mlist Assam wrote: >>> On Wed, Oct 12, 2011 at 11:05 AM, Amos Jeffries<squid3@xxxxxxxxxxxxx> >>> wrote: >>>> On 12/10/11 17:33, nipun_mlist Assam wrote: >>>>> >>>>> This may be relevant to this question. >>>>> While trying to use squid for transparent proxy (tproxy ) on linux >>>>> (kerne 2.6.39 with centos 6.0), I noticed the following >>>>> >>>>> 1. Client IP spoofing doesn't work (but for our work, this requirement >>>>> was a must). >>>> >>>> In what way? >>> >>> The root web server was seeing the IP of the squid box, not of the >>> client machine for all http requests. I.e. the web server will see >>> that the HTTP requests are coming from the squid box. Our requirement >>> is that, both the web servers and client machines should not be aware >>> of a squid proxy sitting in between and hence they should not see the >>> IP of squid box in HTTP related traffics. >>> >>> squid.conf is as shown below (I am pasting only http_port related >>> lines): >>> >>> . >>> . >>> http_port 85 tproxy >>> http_port 86 ssl-bump cert=/extra/squid/etc/Centos6.0.pem tproxy >>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >>> . >>> . >>> >>> >>> IPTABLES was configured as shown below (port 80 traffics are forwarded >>> to port 85 where squid "expects" HTTP traffic, and port 443 traffic >>> are forwarded to port 86 where "HTTPS" traffic are expected): >>> >>> iptables -t mangle -N DIVERT >>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT >>> iptables -t mangle -A DIVERT -j MARK --set-mark 1 >>> iptables -t mangle -A DIVERT -j ACCEPT >>> ip rule add fwmark 1 lookup 100 >>> ip route add local 0.0.0.0/0 dev lo table 100 >>> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY >>> --tproxy-mark 0x1/0x1 --on-port 85 >>> iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY >>> --tproxy-mark 0x1/0x1 --on-port 86 >>> >>> >>> >>>> >>>>> 2. Squid with tproxy doesn't work with HTTPS traffic. >>>> >>>> In what way? >>>> >>>> HTTP: >>>> http_port 1 tproxy ... >>>> >>>> HTTPS: >>>> https_port 2 tproxy ... >>>> >>>>> >>> >>> We cannot use https_port here. Because, we are seeing the traffic from >>> squid to the root webserver goes as http traffic after that. >> >> That is the bug then. Outgoing traffic needs to check the request->flags >> to identify tproxy or intercepted. Also checking request->protocol for >> PROTO_HTTPS requests to re-encrypt. >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE9 or 3.1.15 >> Beta testers wanted for 3.2.0.12 >> > > >
