On 24.10.2012 07:55, Alexander.Eck wrote:
Hi everyone,
is it possible to have squid use the same Source Port to connect to
the Web=
server as the client uses to connect to squid ?
No. One gets errors when bind() is used on an already open port.
connect() and sendto() do not supply the OS with IP:port details.
My problem is the following setup:
Various Citrix Server
URL Filtering with Identity Awareness
Squid 3.1 as Cache Proxy
I had to install a Terminal Server Identity Agent on every Citrix
Server to=
distinguish the users.
The Identity Agent assigns port ranges to every user, to distinguish
them.
Problem is:
In my firewall logs i can see the identity of the user for the
request from=
the citrix server to the proxy (proxy is in the dmz). But i can't
see the =
identity from the request from the proxy to the Internet.
My guess is, that this is because squid isn't using the same Source
Port as=
the client, or is not forwarding the Source Port.
"client" also does not mean what you think it means. Squid is a client
in HTTP and can generate new or different requests along with those
aggregated from its inbound clients.
HTTP/1.1 is also stateless with multiplexing and pipelines. Any
outgoing connection can be shared by requests received between multiple
inbound client connections. There is no relationship between inbound and
outbound - adding a stateful relationship (pinning) degrades performance
a LOT.
How does your fancy client identification system correlate them
cheeses?
PS: the TCP/IP firewall level is not a good place to log HTTP level
client details.
Did anybody try something similiar and got it working ? Is squid
capable o=
f doing this or do i have an error in reasoning about my setup ?
Any help is appreciated :)
Amos
