Search squid archive

Re: Why is follow_x_forwarded_for not used for ICAP ? Or is it?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Michael Portz wrote:
Am 19.01.2010 um 09:59 schrieb Amos Jeffries:

Michael Portz wrote:
Am 19.01.2010 um 09:06 schrieb Amos Jeffries:

Michael Portz wrote:
My scenario is the following:

The original accesses from our LAN hit on the first-level squid.
Doing some basic load-balancing the requests are forwarded to several
parent-squids. Each of these contact various ICAP-servers for
modifications of the request.

The problem: several decisions of the ICAP-server should be based on
the original clients IP-address. Alas, given the scenario above, it
only can be based on the outgoing IP address of the first-level
proxy. The configuration option follow_x_forwarded_for does right the
thing, but "only" access_control, delay pools and logging are
explicitly stated as applications. Does it work for icap, too? Or is
something like this in the development queue?

The all-over squid version is 3.0.STABLE21.

Regards Michael
Strange. 3.0 does not even have a follow_x_forwarded_for option. That was added to Squid-3.1.

The one in 3.1 has several known problems such as the ICAP lack you cite. http://bugs.squid-cache.org/show_bug.cgi?id=2731
I'm hoping to fix XFF by next release. Certainly before it goes stable.

Amos
--
Please be using
 Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
 Current Beta Squid 3.1.0.15
Great!

I am new to the list but my experience from elsewhere is, that if you
don't mention the version, half of the replies to your posting is "what version
are you using" so I usually include this bit of information, regardless of its
importance to the contents of the posting :-)

Thanks for your answer and for the pointer, your answer saves me setting
up a 3.1 just for finding out; not sure I understood you correctly though,
so allow for one more question: Does Wolfgangs patch

- work?
- nearly work?
- is still too buggy to use?
Nearly. It does send the XFF result IP to ICAP like it is supposed to.

The other problems in XFF means that the result IP may not always be what you want. the direct client IP is not checked and Squid 'fails' partially trusted chains when it should not.

Amos

Not wanting to press you into too speculative answers, but can I
assume, that in my simple scenario (exactly one squid in between
the client and the XFF-squid) it might just work?

Michael

Yes. The simplistic configurations work.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
  Current Beta Squid 3.1.0.15

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux