|
Hai, I having some troubles to get my client ip (and/or hostname)
logged in my apache webserver. I do think this is something in my squid setup, but i can
find it.. So if anyone can help me out a bit, would be great. I’ve tested with the forwarded_for options tried all
options here. http://www.squid-cache.org/Versions/v3/3.5/cfgman/forwarded_for.html
im using Debian Jessie, Apache 2.4 with mod_remoteip http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipheader
My settings for remoteip ( and yes the modules is enabled
) a2query -m | grep remote remoteip (enabled by site administrator) <IfModule mod_remoteip> # for remote proxy setup RemoteIPHeader X-Forwarded-For # for cluster setup #RemoteIPHeader X-Real-IP RemoteIPTrustedProxy 127.0.0.1/8 RemoteIPTrustedProxy 192.168.x.x/24 RemoteIPTrustedProxy 192.168.x.x/24 RemoteIPTrustedProxy prxy1.internal.domain.tld RemoteIPTrustedProxy prxy2.internal.domain.tld #original : LogFormat "%h %l %u %t \"%r\"
%>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%a %l %u %t \"%r\" %>s %O
\"%{Referer}i\" \"%{User-Agent}i\"" combined </IfModule> any tips on howto debug this, i did find lots of things with
google, but none worked for me. This is my (sanitized) squid config, default values are not
shown. Any improvement tips are welkom ;-) but my bigest problem
now is getting the ip of the client in my webserver logs. Greetz, Louis # squid 3.5.12 config auth_param negotiate program
/usr/lib/squid/negotiate_wrapper_auth -d \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -s
HTTP/prxy1.internal.domain.tld@REALM \ --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego
--domain=NTDOMAIN auth_param negotiate children 50 startup=10 idle=1 auth_param negotiate keep_alive on auth_param basic program /usr/lib/squid/basic_ldap_auth -R \ -b "ou=domain,dc=internal,dc=domain,dc=tld" \ -D changed_to_protect_myself@xxxxxxxxxxxxxxxxxxx -W
/etc/squid/private/ldap-bind \ -f (sAMAccountName=%s) \ -h dc2.internal.domain.tld \ -h dc1.internal.domain.tld auth_param basic children 5 startup=5 idle=1 auth_param basic realm Internet Proxy Autorisation auth_param basic credentialsttl 2 hours authenticate_cache_garbage_interval 2 hour authenticate_ttl 2 hour authenticate_ip_ttl 2 hour # ACCESS CONTROLS #
----------------------------------------------------------------------------- acl localnet src fc00::/7 # RFC 4193 local private
network range acl localnet src fe80::/10 # RFC 4291 link-local
(directly plugged) machines ## PC Networks acl localnet src 192.168.XXX.0/24 acl localnet src 10.XXX.0.0/24 acl localnet src 10.XXX.1.0/24 acl localnet src 10.XXX.2.0/24 acl localnet src 10.XXX.3.0/24 acl localnet src 10.XXX.4.0/24 ## Per location/function networks acl localnet-funct1 src 192.168.XXX.0/24 acl localnet-funct2 src 10.XXX.0.0/24 acl localnet-funct3 src 10.XXX.1.0/24 acl localnet-funct4 src 10.XXX.2.0/24 acl localnet-funct5 src 10.XXX.3.0/24 acl localnet-funct6 src 10.XXX.4.0/24 acl localnet-funct7 src 10.XXX.210.0/24 acl localnet-funct8 src 172.20.XXX.0/24 acl localnet-funct1-server-range src
192.168.XXX.XXX-192.168.XXX.XXX acl localnet-funct1-mailhopper src 192.168.XXX.XXX acl localnet-funct1-antivirus src 192.168.XXX.XXX acl localnet-funct1-xen1 src 192.168.XXX.XXX acl localnet-funct1-gateway src 192.168.XXX.XXX acl localnet-funct1-mail1 src 192.168.XXX.XXX acl localnet-funct1-lin-228 src 192.168.XXX.XXX acl localnet-funct1-lin-009 src 192.168.XXX.XXX acl localnet-funct1-monitoring src 192.168.XXX.XXX acl localnet-funct1-lin-003 src 192.168.XXX.XXX ## acl time frames. acl work-ochtend time MTWHF 08:15-11:59 acl work-pauze time MTWHF 12:00-13:30 acl work-middag time MTWHF 13:31-17:00 acl after-work-hours time MTWHF 17:01-23:59 acl before-work-hours time MTWHF 00:00-08:14 ######Block Video Streaming############## acl media rep_mime_type video/flv video/x-flv acl media rep_mime_type -i ^video/ acl media rep_mime_type -i ^video\/ acl media rep_mime_type ^application/x-shockwave-flash acl media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1 acl media rep_mime_type ^application/x-fcs acl media rep_mime_type ^application/x-mms-framed acl media rep_mime_type ^video/x-ms-asf acl media rep_mime_type ^audio/mpeg acl media rep_mime_type ^audio/x-scpls acl media rep_mime_type ^video/x-flv acl media rep_mime_type ^video/mp2t acl media rep_mime_type ^video/mpeg4 acl media rep_mime_type ms-hdr acl media rep_mime_type x-fcs acl mediapr urlpath_regex \.flv(\?.*)?$ acl mediapr urlpath_regex -i \.(avi|mp4|mov|m4v|mkv|flv)(\?.*)?$ acl mediapr urlpath_regex -i
\.(mpg|mpeg|avi|mov|flv|wmv|mkv|rmvb|ts|)(\?.*)?$ acl whitelistsites url_regex -i "/etc/squid/acl/domain-customer-sites.txt" acl whitelistsites url_regex -i
"/etc/squid/acl/allowed-sites.txt" acl whitelistdirect url_regex -i
"/etc/squid/acl/allowed-direct-sites.txt" acl ads dstdom_regex "/etc/squid/acl/blocked-ads-company.txt" acl blockedsites dstdom_regex -i
"/etc/squid/acl/blocked-sites.txt" acl allow_client_mac arp
"/etc/squid/acl/allow-arp-client.txt" acl downloaders rep_mime_type -i ^application/x-nzb$ acl lan-domainname dstdomain .internal.domain.tld acl lan-domainname dstdomain .internal2.domain.tld acl lan-domainname dstdomain .internal3.domain.tld acl lan-domainname dstdomain .internal4.domain.tld acl lan-domainname dstdomain .internal5.domain.tld acl lan-domainname dstdomain .internal6.domain.tld acl wan-domainname dstdomain .domain.tld acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain
images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl windowsupdate dstdomain au.download.windowsupdate.com acl windowsupdate dstdomain ds.download.windowsupdate.com acl windowsupdate dstdomain ctldl.windowsupdate.com acl windowsupdate dstdomain .data.microsoft.com acl antivirusupdate dstdomain .trendmicro.com acl antivirusupdate dstdomain safebrowsing.google.com acl antivirusupdate dstdomain safebrowsing-cache.google.com acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com ## SSL PORTS ( you need to define ssl ports also at
Safe_ports ) acl SSL_ports port 443 # https acl SSL_ports port 631 # cups acl SSL_ports port 888 # 3dm raid manager acl SSL_ports port 2812 # Monit acl SSL_ports port 5225 # HP Toolbox acl SSL_ports port 8000 # ? acl SSL_ports port 8080 # ? acl SSL_ports port 16384-16403 # iChat AV (Audio-RTP, RTCP;
Video-RTP, RTCP) acl Safe_ports port 21 # ftp acl Safe_ports port 80 # http acl Safe_ports port 70 # gopher acl Safe_ports port 443 # https acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 631 # cups acl Safe_ports port 667 # darkstat acl Safe_ports port 777 # multiling http acl Safe_ports port 888 # 3dm raid manager acl Safe_ports port 8000 # ? acl Safe_ports port 8080 # ? acl Safe_ports port 16384-16403 # iChat AV (Audio-RTP, RTCP;
Video-RTP, RTCP) #acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR
CLIENTS # ## BEFORE AUTH : bypass autorisation ( windows
updates/antivirus ) http_access allow CONNECT wuCONNECT localnet http_access allow windowsupdate localnet http_access allow antivirusupdate localnet ## Deny blocked sites first. http_access deny blockedsites ## Deny Ads servers http_access deny ads deny_info TCP_RESET ads #### Override rules for internal use http_access allow localnet-funct1-server-range http_access allow localnet-funct2 http_access allow lan-domainname localnet http_access allow wan-domainname localnet http_access allow whitelistdirect localnet ############################################################################### ## AUTH HERE http_access allow authenticated ############################################################################### ##########Access Lists VIDEO STREAMS ######### http_access allow mediapr allow_client_mac http_reply_access allow media allow_client_mac http_access deny mediapr http_reply_access deny media ################################## other rules. # whitelisted sites http_access allow whitelistsites # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal)
IP networks # from where browsing should be allowed http_access allow localnet # And finally deny all other access to this proxy http_access deny all ## iptables port 80 redirect to 3128 http_port 192.168.XXX.XXX:3128 intercept connection-auth=off ## company default port set by GPO (must use
hostname.internal.domain.tld for kerberos auth ) http_port 192.168.XXX.XXX:8080 cache_mem 65536 MB maximum_object_size_in_memory 5 MB coredump_dir /var/spool/squid # disable cache_log cache_log /dev/null ## obligated setting for disableing cache_log logfile_rotate 0 ftp_user anonymousftp@xxxxxxxxxx pinger_enable off # OPTIONS FOR TUNING THE CACHE #
----------------------------------------------------------------------------- #cache deny localnet-funct3 #cache deny localnet-funct2 ## order is important, first one hit is used. ## windows cache refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)
4320 80% 129600 reload-into-ims refresh_pattern -i
microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 129600
reload-into-ims refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)
4320 80% 129600 reload-into-ims # debian cache refresh_pattern
^(ht|f)tp://.*debian.*/Packages\.(bz2|gz|diff/Index)$ 0 0% 0 refresh_pattern
^(ht|f)tp://.*debian.*/Release(\.gpg)?$ 0 0% 0 refresh_pattern
^(ht|f)tp://.*debian.*/Sources\.(bz2|gz|diff/Index)$ 0 0% 0 refresh_pattern
^(ht|f)tp://.*debian.*/Translation-en_GB\.bz2)$ 0 0% 0 # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # range-offset range_offset_limit 800 MB windowsupdate range_offset_limit 100 MB antivirusupdate quick_abort_min -1 forward_timeout 1 minutes connect_timeout 5 seconds cache_mgr webmaster@xxxxxxxxxx mail_from prxy1@xxxxxxxxxxxxxxxxxxx visible_hostname prxy1.internal.domain.tld hostname_aliases prxy1.internal.domain.tld httpd_suppress_version_string on snmp_port 3401 snmp_access allow localnet-funct1-monitoring snmp_access deny all snmp_incoming_address 192.168.XXX.XXX icp_port 3130 htcp_port 4827 udp_incoming_address 192.168.XXX.XXX error_default_language nl err_page_stylesheet /etc/squid/errorpage.css always_direct allow CONNECT # ICAP OPTIONS #
----------------------------------------------------------------------------- ## Tested with Squid 3.5.10/3.5.12 squidclamav 6.14 icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_persistent_connections on icap_preview_enable on icap_preview_size 1024 icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav adaptation_access service_resp allow all dns_v4_first on fqdncache_size 2048 memory_pools on memory_pools_limit 512 MB forwarded_for on refresh_all_ims on reload_into_ims on workers 8 |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
