On Wed, Mar 16, 2016 at 10:44 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
Thanks for the help. We've run Squid for over 16 years and it mostly just works.No, if existing it would have 'ident' or 'ident_regex' type.On 17/03/2016 3:03 a.m., Chris Nighswonger wrote:
> On Wed, Mar 16, 2016 at 9:07 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
>
>> On 17/03/2016 1:57 a.m., Amos Jeffries wrote:
>>> On 17/03/2016 1:25 a.m., Chris Nighswonger wrote:
>>>> On Wed, Mar 16, 2016 at 1:03 AM, Amos Jeffries wrote:
>>>>
>>>>> On 16/03/2016 12:38 p.m., Chris Nighswonger wrote:
>>>>>> Why does netstat show two connections per client connection to Squid:
>>>>>>
>>>>>> tcp 0 0 127.0.0.1:3128 127.0.0.1:34167
>>>>>> ESTABLISHED
>>>>>> tcp 0 0 127.0.0.1:34167 127.0.0.1:3128
>>>>>> ESTABLISHED
>>>>>>
>>>>>> In this case, there is a content filter running in front of Squid on
>> the
>>>>>> same box. The same netstat command filtered on the content filter port
>>>>>> shows only one connection per client:
>>>>>>
>>>>>> tcp 0 0 192.168.x.x:8080 192.168.x.y:1310
>>>>> ESTABLISHED
>>>>>>
>>>>>
>>>>> Details of your Squid configuration are needed to answer that.
>>>>>
>>>>
>>>>
>>>> Here it is. I've stripped out all of the acl lines to reduce the length:
>>>>
>>>> tcp_outgoing_address 184.x.x.x
>>>> http_port 127.0.0.1:3128
>>>
>>> It would seem that it is not Squid making those connections outbound
>>> from 127.0.0.1:3128. Squid uses that 184.x.x.x address with random
>>> source ports for *all* its outbound connections.
>>
>>
>> Ah, just had an idea. Do you have IDENT protocol in those ACLs you elided?
>>
>> IDENT makes a reverse connection back to the client to find the identity.
>>
>>
> So I have this acl in the list:
>
> acl AuthorizedUsers proxy_auth REQUIRED
>
> Might that be the one?
Log formats would be the other way to hit ident. But I didn't notice
anything fancy like that in the config you posted.
Sorry for the direct reply on the last iteration. Silly g-mail does not support reply to list apparently.
I've cleaned up the config based on your suggestions.
I'm not super concerned about the two connection issue. I was mostly wondering what was up. Perhaps I should be. Ignorance is not always bliss.
WRT follow_x_forwarded_for allow all, I've changed "all" to "localhost." I don't know if that tightens things up maybe? I need this enabled so that the client IPs show up in the Squid log. At least I think I do.
Kind regards,
Chris
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
