HAVP+SQUID Not showing client IP?



  • I am having some trouble getting LAN IP addresses to show up in my PF logs when using HAVP and Squid.  Even when running HAVP by itself, I am unable to get the client IP address to show up in the PF logs.  The best I can get is the 127.0.0.1 address in my PF logs.  Is there a bug or does it sound like a misconfiguration on my end?

    When I do get client IP's to work HAVP fails to detect the eicar test file.  Scheme: {inet}->[HAVP]->[Squid cache]->{clients} I am running 1.2.3 stable.

    PFlog:

    IP 192.168.1.155.64780 > localhost.3125: [|tcp]

    Any advice would be greatly appreciated!

    -CC




  • Rebel Alliance Developer Netgate

    If you have one proxy in front of the other, only one of them will actually see the client's IP address. The other one will just see the IP of the first proxy you hit.



  • Thanks for the reply.  The documentation seems to imply otherwise?  Per the config guide: http://doc.pfsense.org/index.php/HAVP_Package_for_HTTP_Anti-Virus_Scanning

    How to in the HAVP logs get a real IP clients

    Typically, the logs HAVP with Squid instead addresses customers displayed address 127.0.0.1. How to fix this:

    Squid:

    Uncheck Disable X-Forward
       Uncheck Disable VIA
       Save

    HAVP:

    Check Enable Forwarded IP
       Save



  • @carboncopy:

    Scheme: {inet}->[HAVP]->[Squid cache]->{clients}

    It looks as if your configuration on your pfSense is backwards compared to what you had referenced in the quote above.  HAVP should be set to "parent for squid" not "transparent".  Squid configuration looks correct.  That change should then allow the logs to show up correctly.



  • I've actually tried almost all configuration combinations and I am not able to get the client IP in the logs.  Has anyone been successful with this?  I've read in the 2.0 pfsense release Squid will not bypass pf, and should provide visibility to the client IP address.  I think it is a functionally issue not a configuration issue.  Although, I have been wrong before. :)


Locked