Re: [squid-users] X_FORWARDED_FOR, squid and apache cheating

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 24 May 2008 15:42:23 +1200

howard chen wrote:
> Hi,
>
> On Fri, May 23, 2008 at 9:27 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> request_header_access X-Forwarded-For deny all
>>
>> Note mixed-case HTTP name, not the PHP internal variable name.
>>
>
> The problem is, I do want "X-Forwarded-For", if it is added by my
> squid, but not client. Since I can trust my squid but not my client.
>
>
> If setting the "request_header_access X-Forwarded-For deny all", my
> PHP even cannot get the "unknown" value even if I am using
> "forwarded_for on"
>
> Btw, If I use Firefox Modify Header to add my custom "X_FORWARDED_FOR"
> (note the case), my PHP can still get the "HTTP_X_FORWARDED_FOR"
> header, maybe this is a potential security hole?
>
> Howard

Okay, you will need to use the new X-Forwarded-For extensions recently
added for 3.1 then. Which gives you a few extra manipulations of the XFF
header, the 'truncate' setting does what you want.

Pull a daily snapshot of 3-HEAD and test it for usability. Yes, its
beta-level development code, but stable and debugged enough for most
uses now.
  http://www.squid-cache.org/Versions/v3/HEAD/

Amos

-- 
Please use Squid 2.6.STABLE20 or 3.0.STABLE6
Received on Sat May 24 2008 - 03:42:25 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:14 MDT