On Tue, 8 Nov 2011 21:23:21 +0000, Fuchs, Martin wrote:
> Hi !
>
> Is there somehow the possibility to tell squid in a reverse config to
> pass the external clients ip as the origin ip ?
Careful "origin" is the correct term for "web server".
I assume you mean passing the client IP so the server sees the client
connecting.
> I know of the many x-forwarded-for discussions, but here I have a
> case with squid as a generic firewall package, where I cannot edit
> every internal destinations configs...
Then you are probably screwed. The only alternative to XFF headers, is
TPROXY to forge packets leaving Squid with the client IP.
Using TPROXY means abandoning all the reverse-proxy benefits and taking
up all the interception problems. Along with the extra problem that
traffic has to be forcibly bottlenecked through Squid, creating a single
point of failure. The origin servers will respond directly to those
client IPs and must themselves be diverted back into Squid. The choice
is yours, but I do not recommend it.
IMHO the best you can do is pass the forwarded-for details and inform
those who do have config access to use it or get bad traffic accounting.
XFF is a well known feature with decades of history and help available
online if they need it.
Amos
Received on Tue Nov 08 2011 - 21:45:46 MST
This archive was generated by hypermail 2.2.0 : Wed Nov 09 2011 - 12:00:03 MST