Opnsense works in bridge mode.
Squid works in transparent mode.
The http request can be filtered by squid.
BUT there is a problem, the outside web server shows the request is from the opnsense bridge interface(ip1), not from the computer(ip2) behind the bridge.
webserver <--->opnsense bridge(ip1)<--->inner computer (ip2)
How to fix this?
Let webserver finds request from ip2, as opnsense bridge is totally transparent.
Isn't that what a proxy is supposed to do? If you want the traffic to come from the source, you need to by-pass Squid.
Bart...
Transparent means transparent for the client in this case, not transparent for the server. :)
Thanks!
But how to achieve client transparency in this scenario?
You said "Squid works in transparent mode." Then you said "client transparency". That's the same.
If you mean server transparency, you need to put your proxy behind NAT.
If you want your servers to see the clients and still do proxying, there are other products for this we cannot possibly support...
Cheers,
Franco
the proxy can add the source ip as an header (X-Forwarded-For, see http://www.squid-cache.org/Doc/config/forwarded_for/). You can set it in the GUI if that is what you want to do.
What "other products" can achieve this?
Now, only additional IPFW rules on the proxy and the server can achieve this: the server see the real clien ip address.
It seems the "divert-reply" option of pf can work for transparent proxy, but it does not work , maybe the kernel does not implement it.
Quote from: franco on November 30, 2016, 09:05:48 AM
You said "Squid works in transparent mode." Then you said "client transparency". That's the same.
If you mean server transparency, you need to put your proxy behind NAT.
If you want your servers to see the clients and still do proxying, there are other products for this we cannot possibly support...
Cheers,
Franco