Re: Re[2]: [squid-users] Detect source IP Address via Squid from Amos Jeffries on 2009-08-03 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 04 Aug 2009 14:05:46 +1200

On Tue, 4 Aug 2009 01:43:09 +0500, Farhad Ibragimov
<inara.ibragimova_at_gmail.com> wrote:
> Amos,
>
> Really, i need to hide my proxy server from my clients. But some web
> resource detect Proxy servers , for example
> http://whatismyipaddress.com/. Is it possible, when my client surf
> internet ,past throught my proxy server , and all servers see his
real
> ip
> address ? It is very important . Wait your response
> ps: sorry for my english

This is the _opposite_ of what you just told me you wanted to do (have
apache log the real client IP).

You may be asking for the TPROXY feature. Where Squid performs both a
man-in-middle attack and a spoofing attack on your clients.

This will not stop whatsmyip and similar sites from detecting the proxy.
They do so by calculations from other information they can find. Such as
header Squid is required to add, or even the absence of headers they had
the browser craft for the purpose. Making Squid or any HTTP proxy
completely invisible is not possible without breaking them severely. You
may as well allow direct connections or use a SOCKS proxy for that.

The fact that a proxy is detected in the middle does no harm. If you notice
that web page it also displays the client IP information correctly. If not
then you have already broken the proxy and that need to be fixed.

Many web services attempt to detect real client IPs. They do this in many
different ways and for many different purposes. Some sites such as hotmail
and online banks use it to determine which account information is safe to
display in a reply. When some detect a stealth or anonymizing proxy they
will refuse to let clients login.

They only way to win is to make the proxy operate fully and correctly
without violating HTTP in any way.

Amos

>
> BR
>
>
> Wednesday, July 29, 2009, 1:48:48 PM, you wrote:
>
>> Farhad Ibragimov wrote:
>>> Dear Amos
>>>
>>> Please look at this
>>>
>>> Client ---> Router with WCCP ---> Proxy squid(3.0.15)---> Apache
>>>
>>> Apache see request from Proxy squid server . My questions is , is it
>>> possible to see requested ip address from Client in Apache logs file
?
>>> If yes , how can i
>>> do this ?
>
>> Squid passes the IP on to Apache in the X-Forwarded-For: header.
>> Apache needs to log this header content.
>
>> Where there are multiple IPs listed in it; the first is the client that
>> contacted Squid.
>> The last is _probably_ the real client. Can contain forged values so
>> trust decreases away from the machines you can identify. The first
>> listed IP was added by a trusted Squid, so it must be right, second
>> maybe not, etc.
>
>>>
>>> My configuration
>>> Linux "MY DOMAIN" 2.6.18-128.1.16.el5 #1 SMP Tue Jun 30 06:07:26 EDT
>>> 2009 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>>
>>> # WELCOME TO SQUID 3.0.STABLE15
>>> # ----------------------------
>>> http_port 3128 transparent
>>> cache_mem 1024 MB
>>> #minimum_object_size 32 KB
>>> icp_port 0
>>> wccp2_router "HIDDEN"
>>> visible_hostname "HIDDEN"
>>> url_rewrite_children 20
>>> cache_dir ufs /cache 6000 16 256
>>> cache_swap_low 90
>>> cache_swap_high 95
>
>>> allow_underscore on
>
>> eww! Find a plank and beat the people needing that.
>
>>> request_header_max_size 20 KB
>>> client_persistent_connections on
>>> server_persistent_connections on
>>> maximum_object_size_in_memory 50 KB
>>> cache_replacement_policy heap LFUDA
>>> maximum_object_size 50 MB
>>> ######LOG################
>>> access_log /var/squid/logs/access.log squid
>>> cache_log /var/squid/logs/cache.log
>>> cache_store_log /var/squid/logs/store.log
>>> ###############################
>>> cache_mgr "HIDDEN"
>>> httpd_suppress_version_string on
>>> # SNMP OPTIONS
>>> #
>>>
-----------------------------------------------------------------------------
>>> #snmp_port 1161
>>> #snmp_access allow snmppublic localhost
>>> #snmp_access deny all
>>> cache_effective_user squid
>>> cache_effective_group squid
>>> ###############################################################
>>> acl dayaz dstdomain "HIDDEN"
>>> always_direct allow "HIDDEN"
>>> ###############################################################
>>> refresh_pattern -i \.gif$ 43200 100% 43200 override-lastmod
>>> override-expire
>>> refresh_pattern -i \.png$ 43200 100% 43200 override-lastmod
>>> override-expire
>>> refresh_pattern -i \.jpg$ 43200 100% 43200 override-lastmod
>>> override-expire
>>> refresh_pattern -i \.jpeg$ 43200 100% 43200 override-lastmod
>>> override-expire
>>> refresh_pattern -i \.pdf$ 43200 100% 43200 override-lastmod
>>> override-expire
>>> refresh_pattern -i \.zip$ 43200 100% 43200 override-lastmod
>>> override-expire
>>> refresh_pattern -i \.tar$ 43200 100% 43200 override-lastmod
>>> override-expire
>>> refresh_pattern -i \.gz$ 43200 100% 43200 override-lastmod
>>> override-expire
>>> refresh_pattern -i \.tgz$ 43200 100% 43200 override-lastmod
>>> override-expire
>>> refresh_pattern -i \.exe$ 43200 100% 43200 override-lastmod
>>> override-expire
>>> refresh_pattern -i \.prz$ 43200 100% 43200 override-lastmod
>>> override-expire
>>> refresh_pattern -i \.ppt$ 43200 100% 43200 override-lastmod
>>> override-expire
>>> refresh_pattern -i \.inf$ 43200 100% 43200 override-lastmod
>>> override-expire
>>> refresh_pattern -i \.swf$ 43200 100% 43200 override-lastmod
>>> override-expire
>>> refresh_pattern -i \.mid$ 43200 100% 43200 override-lastmod
>>> override-expire
>>> refresh_pattern -i \.wav$ 43200 100% 43200 override-lastmod
>>> override-expire
>>> refresh_pattern -i \.mp3$ 43200 100% 43200 override-lastmod
>>> override-expire
>>>
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern (cgi-bin|\?) 0 0% 0
>>> refresh_pattern . 0 20% 4320
>>> ##########################################
>>> negative_ttl 0 seconds
>>> #########################################
>>> # ACCESS CONTROLS
>>> ##############################################################
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/32
>>> acl to_localhost dst 127.0.0.0/8
>>> acl mynet src "HIDDEN"
>>>
>>> # Example rule allowing access from your local networks.
>>> # Adapt to list your (internal) IP networks from where browsing
>>> # should be allowed
>
>> Sigh. SO many people not bothering to read the above...
>
>> Either change to be your valid networks, or remove completely and keep
>> your own name(s) for the ACL [ ie "mynet" ].
>
>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>> #
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl CONNECT method CONNECT
>>>
>>> # TAG: http_access
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> #http_access allow localnet
>>> http_access allow mynet
>>> http_access deny all
>>>
>>> icp_access deny all
>>> htcp_access deny all
>>>
>>> hierarchy_stoplist cgi-bin ?
>>>
>>> # TAG: debug_options
>>> # Logging options are set as section,level where each source file
>>> # is assigned a unique section. Lower levels result in less
>>> # output, Full debugging (level 9) can result in a very large
>>> # log file, so be careful. The magic word "ALL" sets debugging
>>> # levels for all sections. We recommend normally running with
>>> # "ALL,1".
>>> #
>>> #Default:
>>> # debug_options ALL,1
>>>
>>> icp_port 0
>>> htcp_port 0
>>> log_icp_queries off
>>>
>>> allow_underscore on
>>>
>>> # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
>>> #wccp_version 4
>>> # wccp2_rebuild_wait on
>>> # wccp2_forwarding_method 1
>>> # wccp2_return_method 1
>>> # wccp2_assignment_method 1
>>> # wccp2_service standard 0
>>> # wccp2_weight 10000
>>> # wccp_address 0.0.0.0
>>> # wccp2_address 0.0.0.0
>>>
>>> # ERROR PAGE OPTIONS
>>> #
>>>
-----------------------------------------------------------------------------
>>> # error_directory /squid/share/errors/templates
>>> email_err_data on
>>>
>>> client_db on
>>> coredump_dir /var/squid/cache
>>>
>>>
>
>> Amos
Received on Tue Aug 04 2009 - 02:06:18 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 04 2009 - 12:00:03 MDT