set squid proxy outgoing IP

Posted: January 26, 2007 in linux

last week had me working on setting a squid proxy server with multiple IP/domains. the plan was to have squid route outgoing traffic to as many IPs that the server carries. the server only has one physical interface. the rest of the IPs are tied to it via aliases or a virtual interface. you can easily do this with the following command:

ifconfig ethX:Y <IP_ADDRESS>

where X is the number of your physical ethernet device, and Y is the number designated (arbitrary) for the virtual interface. you could also add the broadcast and netmask address in the same line as well. so it would look something like this:

ifconfig eth0:1 192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0

for testing, a minimal configuration had the proxy running in no time. it would listen to 2 IPs for incoming HTTP requests on different ports. supposedly it should also route requests in the same IP where it was received. it didn’t. popular web services (ipchicken.com, whatismyip.com, whatismyip.org) for knowing your IP were used and somehow the IP that came out was the main server IP. by “main server IP,” i mean the 1st IP bound to the network interface or i would say primary address. (look it up with ifconfig ethX, where ethX is the interface facing the Internet, of course, as you might have one that is only for your LAN). so if it were listening for incoming requests on 192.168.0.10:3128 (IP:port), i wanted it to go out the same way via 192.168.0.10. instead it was going out to, for example, 192.168.0.1 or the primary server IP.

after ‘Googling‘ with no luck, i sought advice from the experts of 4 Linux forums. at least on 3 of the forums, they were quick to say that “new outbound connections would normally default to the primary server IP,” or “the one where the route goes out.” and that was that. this is true, i guess. but my question wasn’t really answered.

looking up on google again, this time carefully reading the returned results, i found out that you could actually tell it to use the IP of your choice for outgoing traffic. (yeah, i overlooked that portion in the manual where it would’ve been obvious had i looked hard enough)

the key to this is tcp_outgoing_address. this is how it’s done as explained:

create an ACL for the incoming source network or just a specific IP(s):

acl my_network src 192.168.1.0/255.255.255.0 *

then use tcp_outgoing_address to specify which IP the incoming request should go out (of course, you have to own the IP)

tcp_outgoing_address <OUTGOING_IP_YOU_WANT> <ACL_NAME>, or

tcp_outgoing_address 192.168.0.1/255.255.255.0
NOTE: *the IPs used here are private IPs and are only used as examples. replace it with the IPs you want or that which is applicable to your network/server. also read up on squid proxy configuration. a good start about this topic is here. suggested further readings on ifconfig or how to set an IP to your network interface.

Advertisements
Comments
  1. excellent publish, very informative. I wonder why the opposite experts of this sector don’t understand this.

    You should continue your writing. I’m confident, you’ve
    a great readers’ base already!

  2. There’s definately a great deal to find out about this issue.
    I love all of the points you’ve made.

  3. Get free 25$ – Payoneer Card Just Sign Up and you can be payed like an American! Get free 25$ – Payoneer Card Widraw money
    on every Mastercard ATM or pay it online. Free 25$ on first 100$.
    Just go on Get free 25$ – Payoneer Card You will receive a
    Free Credit card, a free worldwide Payoneer Card.

  4. vimax says:

    I must thank you for the efforts you’ve put in penning this blog.
    I’m hoping to check out the same high-grade blog posts from you later on as well.
    In fact, your creative writing abilities has motivated me to get my own, personal website
    now 😉

  5. Nat says:

    Nice article. But in my squid version (3.1.6) i have to use “acl my_network myip xxx.xxx.xxx.xxx” (myip instead of src). myip = Interface-IP, src = Client-IP

    • yams says:

      That could be the new way of doing it. The one above was made like almost 5 years ago. The past few years I haven’t really udpated myself with squid. Busy with web development. 🙂

  6. kamil says:

    awesome, thanks! 🙂

  7. Tyler says:

    Good to know. Squid is “well-documented” in one sense, they have documentation for every setting, but they don’t tie it together well, making settings like this very difficult to find.

  8. Nathan says:

    excellent, thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s