I have been using Squid Caching Proxy Server since 1996. It's
principal advantage has been the reduction in bandwidth needed to
support access to HTTP content. Another advantage is that it makes
the network appear more responsive to the user.
Over the past decade, there have been several changes in corporate
ownership and organisation. During the last re-organisation, a new
organisation, Security Operations Center, was formed. Recently, they
have started complaining about the presence of our Squid servers.
They complain that the Squid server is hiding information about which
system is initiating the HTTP request.
Looking at the raw data captured with tcpdump, Squid is including the
X-Forward_For HTTP headers. They identify the IP address of the
system that initiated the request.
The security organisation manages Sidewinder G2 firewalls. They also
have Content_Engines in the Cisco border routers. The Content-Engine
and the Sidewinder G2 proxy are intercept proxies configured as
intercept proxies. They are both based on Squid.
I would like to keep our current Squid configuration as I think it
provides a significant advantage. Now the question, can Squid report
the content of the X-Forward-For header in the access.log or syslog?
Merton Campbell Crockett
m.c.crockett@xxxxxxxxxxxx
