Re: How to set the IP of the real originator in HTTP requests (instead of Squid's IP)?

Leonardo Rodrigues <leolistas@xxxxxxxxxxxxxx> · Tue, 29 Nov 2011 17:58:52 -0200

    tcp_outgoing_address is probably what you're looking for.

    from the default squid.conf:

#  TAG: tcp_outgoing_address
#       Allows you to map requests to different outgoing IP addresses
#       based on the username or source address of the user making
#       the request.
#
#       tcp_outgoing_address ipaddr [[!]aclname] ...
#
#       Example where requests from 10.0.0.0/24 will be forwarded
#       with source address 10.1.0.1, 10.0.2.0/24 forwarded with
#       source address 10.1.0.2 and the rest will be forwarded with
#       source address 10.1.0.3.
#
#       acl normal_service_net src 10.0.0.0/24
#       acl good_service_net src 10.0.1.0/24 10.0.2.0/24
#       tcp_outgoing_address 10.1.0.1 normal_service_net
#       tcp_outgoing_address 10.1.0.2 good_service_net
#       tcp_outgoing_address 10.1.0.3
#
#       Processing proceeds in the order specified, and stops at first fully
#       matching line.
#
#       Note: The use of this directive using client dependent ACLs is
#       incompatible with the use of server side persistent connections. To
#       ensure correct results it is best to set 
server_persistent_connections
#       to off when using this directive in such configurations.
#
#Default:
# none

Em 29/11/11 14:35, Leonardo escreveu:
Dear all,

We have a Cisco ASA firewall between our internal network and the
Internet.  Our Squid transparent proxy (v3.1.7) is just behind the
firewall.

Our problem concerns IP address translation from private to public.
Specifically, we would like that clients go out on the Web with a
public IP address which depends on the subnet the client is in.
However, we can't differentiate the addresses as the Cisco ASA sees
only the IP private address of the Squid as originator of all HTTP
requests.
I haven't set the directive forwarded_for in my Squid config, which
should mean that, by default, the real originator is passed in a
X-Forwarded-For header.

I'd like to know if there is something else that can be done on the
Squid side, or if now I need to work solely on the config of the Cisco
ASA (as I believe).

Thanks for your time and your answers,

L.

--

	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@xxxxxxxxxxxxxx
	My SPAMTRAP, do not email it