howard chen wrote:
Hi,
On Fri, May 23, 2008 at 9:27 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
request_header_access X-Forwarded-For deny all
Note mixed-case HTTP name, not the PHP internal variable name.
The problem is, I do want "X-Forwarded-For", if it is added by my
squid, but not client. Since I can trust my squid but not my client.
If setting the "request_header_access X-Forwarded-For deny all", my
PHP even cannot get the "unknown" value even if I am using
"forwarded_for on"
Btw, If I use Firefox Modify Header to add my custom "X_FORWARDED_FOR"
(note the case), my PHP can still get the "HTTP_X_FORWARDED_FOR"
header, maybe this is a potential security hole?
Howard
Okay, you will need to use the new X-Forwarded-For extensions recently
added for 3.1 then. Which gives you a few extra manipulations of the XFF
header, the 'truncate' setting does what you want.
Pull a daily snapshot of 3-HEAD and test it for usability. Yes, its
beta-level development code, but stable and debugged enough for most
uses now.
http://www.squid-cache.org/Versions/v3/HEAD/
Amos
--
Please use Squid 2.6.STABLE20 or 3.0.STABLE6
