Re: Passthrough TCP/IP address

From: Mark Visser <mark@dont-contact.us>
Date: Tue, 28 Jan 1997 00:41:05 +0100 (MET)

On Wed, 22 Jan 1997, Duane Wessels wrote:

> blape@utk.edu writes:
>
> >
> > Is there anyway to get the Squid proxy server to send the
> >TCP/IP address the machine hitting the web server via the proxy? That is, say
>
> >John Q. Public is on pc101.someplace.edu and is using Netscape which in turn
> >uses a proxy server on bigmachine.someplace.edu. Now John clicks on a link to
>
> >http://someother.place.edu/index.html. Normally the web server would see
> >bigmachine.someplace.edu calling. How would one configure the proxy server to
>
> >tell someother.place.edu that it is pc101.someplace.edu calling?
>
> See the 1.1 Release Notes:
>
> X-Forwarded-For request header
> ==============================================================================
> Squid used to add a request header called "Forwarded" which appeared
> in some early HTTP/1.1 draft documents. This header had the format
>
> Forwarded: by cache-host for client-address
>
> Current HTTP/1..1 draft documents instead use the "Via" header, but it
> does not provide any standard way of indicating the client address
> in the request. Since a number of people missed having the originating
> client address in the request, Squid now adds its own request header
> called "X-Forwarded-For" which looks like this:
>
> X-Forwarded-For: 128.138.243.150, unknown, 192.52.106.30
>
> Entries are always IP addresses, or the word "unknown" if the address
> could not be determined or if it has been disabled with the
> 'forwarded_for' configuration option.
>
> We must note that access controls based on this header are extremely
> weak and simple to fake. Anyone may hand-enter a request with any IP
> address whatsoever. This is perhaps the reason why client IP addresses
> have been omitted from the HTTP/1.1 specification.
>
>
> Duane W.
>

Yeah..but how to implement this ?

Sorry..i'm not running squid for such a long time (just 4 weeks now), but
we have some protected pages on WWW (protected by iprange), and now
..since people are using the proxyserver, they are always denied access,
because the adress the www server gets is the ipadress of the proxyserver,
squid, and not the adress of the 'real asker'.

So...how do i implement this..that squid sends out the right ipno ?..or is
this behaviour normal and should i find another solution ?

Mark

-------------------------------------------------------------------------
Mark Visser | Student Civiele Technologie & Management
Calslaan 26 - 31 | E-mail: mark@cal026031.student.utwente.nl
7522 MC Enschede | SNT-mail: mark@snt.student.utwente.nl
Telephone: 053-4895038 |
-------------------------------------------------------------------------
Warning: You can get rid of all the bugs by disabling them from the main menu.
Received on Mon Jan 27 1997 - 15:49:39 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:34:11 MST