Re: [squid-users] ACL based on XFF

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 03 Apr 2012 00:10:36 +1200

On 2/04/2012 8:24 p.m., Sekar Duraisamy wrote:
> Thanks Amos. Actually My loadBalancer will send the XFF with source
> information. So i will use XFF as the source to block the users intead
> of IP.
>
> Is this possible?

Try using the config lines I gave.

Amos

>
> -Sekar
>
> On Mon, Apr 2, 2012 at 1:03 PM, Amos Jeffries wrote:
>> On 2/04/2012 7:15 p.m., Sekar Duraisamy wrote:
>>> Hello All,
>>>
>>> Can create an ACL based on XFF?
>>
>> Yes.
>>
>> Now what do you mean by "based on"?
>>
>>
>>> Since the squid placed after the loadbancer, it will send the XFF and
>>> LB ip as source ip for all the request. So I want to put ACL based on
>>> XFF.
>>>
>>> Is this possible?
>>
>> This is the purpose of XFF header and the follow_x_forwarded_for directive.
>>
>> This config:
>> acl LB src<your LB IP address>
>> follow_x_forwarded_for allow LB
>> follow_x_forwarded_for deny all
>>
>> With the LB setting the XFF header correctly the above will make Squid see
>> and use the IP of clients on other side of the LB.
>>
>> Amos
Received on Mon Apr 02 2012 - 12:10:49 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 02 2012 - 12:00:02 MDT