On Mon, 15 Feb 2010 13:15:35 -0430, Jose Ildefonso Camargo Tolosa <ildefonso.camargo@xxxxxxxxx> wrote: > Hi! > > I really don't understand why are you, people, so insistent on the > "x-forwarded-for" thing..... it has nothing to do with authentication, > unless you use IP as part of your ACLs, off course. You mean such as little 'unimportant' things like "http_access allow our_networks" or "http_access deny all"? XFF defines the route of transfer. Security ACL define the trusted secure zone. Combined, the XFF provides the true origin client for end-server access authorization (and IP spoofing sometimes) across any hierarchy. The hierarchy in this case is client+DG+Squid+untrusted. Some (many?) websites use it to identify individual clients sources across translation technologies such as NAT , intercepting proxies and CDN hierarchies where the IP addresses are altered and multiple clients otherwise appear to all come from the same source. In the case of Squid+DansGuardian. _Every single request_ comes out the other end as sourced from 127.0.0.1 / localhost. Amos
