Re: [squid-users] squidclient -follow_x_forwarded_for

Alejandro Martinez wrote:
> Hi,
>
> This is my first post.
>
> I have two proxies
>
> Network(Users) ------------- > ProxyA (sibling)
> --------------> ProxyB (parent)
>
>
> In proxyA I have:
> forwarded_for on
>
> In ProxyB I have:
> follow_x_forwarded_for allow all

This should NOT be an allow all. Since you only have one child proxy,
you should only allow follow_x_forwarded_for for that specific IP.

acl childProxy src 192.168.18.92
follow_x_forwarded_for allow childProxy

> acl_uses_indirect_client on
> log_uses_indirect_client on
> delay_pool_uses_indirect_client on
>
> ProxyA - Squid Cache: Version 2.5.STABLE14
> configure options: --build=i686-redhat-linux-gnu
> --host=i686-redhat-linux-gnu --target=i386-redhat-linux-gnu
> --program-prefix= --prefix=/usr --exec-prefix=/usr
> --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
> --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib
> --libexecdir=/usr/libexec --localstatedir=/var
> --sharedstatedir=/usr/com --mandir=/usr/share/man
> --infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin
> --libexecdir=/usr/lib/squid --localstatedir=/var
> --sysconfdir=/etc/squid --enable-poll --enable-snmp
> --enable-removal-policies=heap,lru
> --enable-storeio=aufs,coss,diskd,null,ufs --enable-ssl
> --with-openssl=/usr/kerberos --enable-delay-pools
> --enable-linux-netfilter --with-pthreads
> --enable-ntlm-auth-helpers=SMB,winbind
> --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group
> --enable-auth=basic,ntlm --with-winbind-auth-challenge
> --enable-useragent-log --enable-referer-log
> --disable-dependency-tracking --enable-cachemgr-hostname=localhost
> --enable-ident-lookups --enable-truncate --enable-underscores
> --datadir=/usr/share
> --enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,winbind
> --enable-fd-config --enable-arp-acl
>
>
> ProxyB - Squid Cache: Version 2.6.STABLE22
> configure options: '--enable-ssl'
> '--enable-follow-x-forwarded-for' '--enable-delay-pools'
> '--enable-arp-acl' '--enable-linux-netfilter'
>
>
>
> My problem is, I can see the original IP of the users in access.log,
> but when I do a "squidclient -U user -W password mgr:active_requests"
> (in ProxyB) I only see one entry
>
>
> HTTP/1.0 200 OK
> Server: squid/2.6.STABLE22
> Date: Mon, 23 Mar 2009 21:07:15 GMT
> Content-Type: text/plain
> Expires: Mon, 23 Mar 2009 21:07:15 GMT
> Last-Modified: Mon, 23 Mar 2009 21:07:15 GMT
> X-Cache: MISS from proxyE1.equital.com
> Via: 1.0 proxyE1.equital.com:3128 (squid/2.6.STABLE22)
> Proxy-Connection: close
>
> Connection: 0x8f1bfd0
> FD 12, read 117, wrote 0
> FD desc: cache_object://localhost/active_requests
> in: buf 0x8f33cf8, offset 0, size 4096
> peer: 127.0.0.1:33086
> me: 127.0.0.1:3128
> nrequests: 1
> defer: n 0, until 0
> uri cache_object://localhost/active_requests
> log_type TCP_MISS
> out.offset 0, out.size 0
> req_sz 117
> entry 0x8f22dc8/82AFF239F7FDD8D3ED9A797B5AEE2340
> old_entry (nil)/N/A
> start 1237842435.324518 (0.000000 seconds ago)
> username -
> delay_pool 0
>
> squidclient can't see the forwarded address of the clients ? I'm
> missing something ?

At this time there was just one active request, that being the Squid
client (on localhost) requesting information about active requests... I
have no idea if the cache_manager menu honors the X-Forwarded-For
header, but I would imagine not. The active_requests list includes port
numbers, and so probably uses the raw TCP connection data.

> Thanks a lot

Chris
Received on Wed Apr 22 2009 - 22:44:50 MDT