On 24.10.2012 07:55, Alexander.Eck wrote:
Hi everyone,

is it possible to have squid use the same Source Port to connect to the Web=
server as the client uses to connect to squid ?


No. One gets errors when bind() is used on an already open port.
connect() and sendto() do not supply the OS with IP:port details.



My problem is the following setup:

Various Citrix Server
URL Filtering with Identity Awareness
Squid 3.1 as Cache Proxy

I had to install a Terminal Server Identity Agent on every Citrix Server to=
 distinguish the users.

The Identity Agent assigns port ranges to every user, to distinguish them.


Problem is:
In my firewall logs i can see the identity of the user for the request from= the citrix server to the proxy (proxy is in the dmz). But i can't see the =
identity from the request from the proxy to the Internet.

My guess is, that this is because squid isn't using the same Source Port as=
 the client, or is not forwarding the Source Port.

"client" also does not mean what you think it means. Squid is a client in HTTP and can generate new or different requests along with those aggregated from its inbound clients.

HTTP/1.1 is also stateless with multiplexing and pipelines. Any outgoing connection can be shared by requests received between multiple inbound client connections. There is no relationship between inbound and outbound - adding a stateful relationship (pinning) degrades performance a LOT.

How does your fancy client identification system correlate them cheeses?

PS: the TCP/IP firewall level is not a good place to log HTTP level client details.


Did anybody try something similiar and got it working ? Is squid capable o=
f doing this or do i have an error in reasoning about my setup ?

Any help is appreciated :)


Amos

Reply via email to