On 4/27/20 8:18 AM, Vieri Di Paola wrote: > Hi, > > I've been using Squid + TPROXY in transparent sslbump mode for quite a > while now, but I'd like to use an explicit proxy with user > authentication instead. > > I have Squid on my first Shorewall firewall, and then I have another > Shorewall gateway where all the HTTP requests go through, with > multiple providers / ISPs. > > In transparent tproxy mode, the HTTP requests on the Shorewall gateway > are seen as coming from the users' client hosts (SRC IP addresses are > the ones of the hosts where the web browsers are actually running). > That allows me to mark traffic, and use different providers according > to source P address ranges or other criteria. > > In the explicit setup, the Shorewall gateway only sees one IP address > as HTTP source -- the one on the "first" Squid/Shorewall firewall. I > presume that in this case there is NO WAY I can set up the Shorewall > gateway to mangle traffic one way or the other depending on the "real" > src IP address, right? >
Tproxy was created to allow the original source IP to remain intact. I know that Squid has the ability to mark outgoing packets, but I don't know off-hand what kind of control it provides over those marks. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
