Thanks for your answer. But in case of Commercial Web Application Firewall(WAF), I found that tproxy was installed and some daemon like squid to filter the web traffic transparently. and the real client ip is seen at the origin server. Is it a different case? Thanks for your comments. > MontyRee wrote: >> Hello, all. >> >> I saw much useful function named tproxy. >> So pleaase check below is possible or not. >> >> >> Client(192.168.3.2) ==> http-accelerator mode squid(10.10.1.2) ==> apache web server(10.10.1.1) >> >> When I see the log file at apache, only cache(10.10.1.2) ip will be seen without regard to clients. >> but when I set tproxy at squid server,I can see the real client IPs, right? >> >> then how can I set iptables rule at squid server(10.10.1.2)? >> It seems that most examples are for forward proxy not httpd-accel mode. >> >> http://wiki.squid-cache.org/ConfigExamples/ >> >> I know that "HTTP_X_FORWARDED_FOR'" would be possible, >> but I don't want it. Please share how to set tproxy for accel mode. >> >> >> Thanks in advance. >> > > No its not. > > accel mode == reverse proxy == squid pretending to be a web server. > > tproxy == squid pretending not to be there. > > When Squid pretends not to be there it cannot perform the actions needed > to make it look like a web server. > > X-Forwarded-For is the way to do this. Whether you want to do it that > way or not. Its the way you get the real client IP through the various > middleware proxies already passing traffic from box to box around the > Internet in a www version of NAT. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19 > Current Beta Squid 3.1.0.13 _________________________________________________________________ 무려~! 25GB나 되는 스카이드라이브! 자세한 사용 방법을 알려 드립니다. http://im.msn.co.kr/im/main/mainCoverDetail.asp?BbsCode=bbs01&Seq=3136
