Re: [squid-users] External IP in access.log

From: Usu�rio do Sistema <maiconlp_at_ig.com.br>
Date: Thu, 2 Aug 2012 11:25:30 -0300

Hi, today wake up me more an doubt.

795035 112.215.36.175 TCP_MISS/200 96944
GEThttp://ads.xlxtra.com%2Ferrors%2F%3Ftype=404@efreephoto.com/pictures/9612330624e58d492b8555.jpg
-DIRECT/74.204.173.205 image/jpeg

my squid is setup with ntlm ( Integrated Active Directory ) so all
users need authenticate. if there ware peoples connected in my proxy
by Internet ( as shows the log above ) they were passed user/password
so why doesn't show the credentials in log ? there are many
connections like that as follow.

1342942154.124 112573 112.215.36.175 TCP_MISS/408 359 GET
http://ads.xlxtra.com%2Ferror
s%2F%3Ftype=404_at_img180.imageshack.us/img180/46/hitthanks.jpg -
DIRECT/208.94.3.14 text/html

access.log.1.gz:1342942154.124 112573 112.215.36.175 TCP_MISS/408 359
GET http://ads.xlxtra.com%2Ferror
s%2F%3Ftype=404_at_img187.imageshack.us/img187/6110/rainbowon5.gif -
DIRECT/208.94.1.75 text/html

access.log.1.gz:1342942154.124 112573 112.215.36.175 TCP_MISS/408 359
GET http://ads.xlxtra.com%2Ferror
s%2F%3Ftype=404_at_img713.imageshack.us/img713/1883/raj.png -
DIRECT/208.94.3.105 text/html

access.log.1.gz:1342942170.208 1324968 112.215.36.175 TCP_MISS/206
463358 GET http://ads.xlxtra.com%2Fe
rrors%2F%3Ftype=404_at_downloads.frendz4m.com/attachments/44/6/1/1322155347-HANdsOME4HoTTy2-Digital_Playgr

ound-Jacks_Big_Ass_Show_Vol_08_-_Full_DvDRip_By_-_RaJ_-_Disc_01_avi.avi
- DIRECT/209.212.146.38 video/x -msvideo

any tip is welcome

thanks

2012/8/1 Usu�rio do Sistema <maiconlp_at_ig.com.br>:
> thanks, my issue was with security.
>
> thanks
>
>
>
> 2012/8/1 Amos Jeffries <squid3_at_treenet.co.nz>:
>> On 02.08.2012 09:37, Usu�rio do Sistema wrote:
>>>
>>> Hello, I have been asked what are external ip address in the sarg reports.
>>>
>>> so I had done a search in access.logs and I found follow access among
>>> others.
>>>
>>> 795035 112.215.36.175 TCP_MISS/200 96944 GET
>>> http://ads.xlxtra.com%2Ferrors%2F%3Ftype=40
>>> 4_at_efreephoto.com/pictures/9612330624e58d492b8555.jpg -
>>> DIRECT/74.204.173.205 image/jpeg
>>>
>>> please, released there are two external ip address at the initial
>>> 112.215.36.175 and at the end 74.204.173.205.
>>>
>>> when I run a sarg report that access it appear like the most used! it
>>> is very strange why it doesn't show a internal ip address instead ?
>>
>>
>> One would assume you know the Squid machine IP address(es) without needing
>> them logged on every request. If you have a multi-IP box where that is also
>> needed, you can use a custom log format to display the IP at Squids end of
>> each TCP connections.
>> http://www.squid-cache.org/Doc/config/logformat/
>>
>>
>>>
>>> what is this external access ?
>>
>>
>> http://wiki.squid-cache.org/Features/LogFormat
>>
>> The one on the right (next to DIRECT/) is the IP of the server providing the
>> response. Every MISS or REFRESH will have a server where the upstream data
>> came from.
>>
>> The one on left (next to TCP_MISS) is the IP of the client making the
>> request. One would expect you to know who your users are and where they are
>> located. If that IP is known not to be a legit customer/client of your Squid
>> something is wrong with your security access controls.
>>
>>
>> Amos
>>
Received on Thu Aug 02 2012 - 14:25:39 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 02 2012 - 12:00:02 MDT