Re: [squid-users] squid reverse-config - pass external clients ip as origin

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 09 Nov 2011 10:45:41 +1300

 On Tue, 8 Nov 2011 21:23:21 +0000, Fuchs, Martin wrote:
> Hi !
>
> Is there somehow the possibility to tell squid in a reverse config to
> pass the external clients ip as the origin ip ?

 Careful "origin" is the correct term for "web server".
 I assume you mean passing the client IP so the server sees the client
 connecting.

> I know of the many x-forwarded-for discussions, but here I have a
> case with squid as a generic firewall package, where I cannot edit
> every internal destinations configs...

 Then you are probably screwed. The only alternative to XFF headers, is
 TPROXY to forge packets leaving Squid with the client IP.

 Using TPROXY means abandoning all the reverse-proxy benefits and taking
 up all the interception problems. Along with the extra problem that
 traffic has to be forcibly bottlenecked through Squid, creating a single
 point of failure. The origin servers will respond directly to those
 client IPs and must themselves be diverted back into Squid. The choice
 is yours, but I do not recommend it.

 IMHO the best you can do is pass the forwarded-for details and inform
 those who do have config access to use it or get bad traffic accounting.
 XFF is a well known feature with decades of history and help available
 online if they need it.

 Amos
Received on Tue Nov 08 2011 - 21:45:46 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 09 2011 - 12:00:03 MST