Is there a way to FORWARD local client IP address , instead of the proxy IP?
To be more descriptive.
When I am looking at some logs, the proxy IP address appears as the source, I would like to see the clients IP addresses instead.
I am currently not NATing with PFsense firewall, I have SquidGuard and Squid setup as transparent proxy.
Is this possible with the proxy in place?
I guess not ? :(
You mean like the X-Forwarded-For header, or?
I am not sure what the terminology would be, what I need to know is if there's a way to allow the clients behind the proxy IPs be seen and logged individually by other tools located in the LAN.
What I am seeing now is that clients that are using the proxy, their LAN ip are hidden as they are behind the proxy server. So all connection logs etc appears to be coming from the proxy - which is understandable..
Yes, you'd need to add the header (General - X-Forwarded Header Mode) and log those headers on the server.
First, let me once again say many thanks. People like you make learning and working with linux software fun!.
I checked my squid.conf file:
acl localnet src 192.168.0/24
From what I can see above, the forward_on is already set in place. Its enabled. Yet, when clients are browsing the internet, the logs are not showing in snort/security onion as the client IP but as the proxy server IP address.
In the same proxy.conf configuration, I found this entry:
which is also on as per default configuration.
I am guessing I am missing this part:
"and log those headers on the server" this is the part I am tad confused about but I am definitively searching. I am trying to view info in my snort/security onion logs.
Once again thanks Dok!
No, Snort does not look at X-Forwarder-For headers. Those are useful for webservers. There is no such thing available, frankly. icap_send_client_ip will add X-Client-IP header. These do NOT rewrite the source IP in the packets, this is L7 stuff.