Search squid archive

Re: Re: stop XFF

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 4 May 2010 17:06:38 -0500, Luis Daniel Lucio Quiroz
<luis.daniel.lucio@xxxxxxxxx> wrote:
> Le mardi 4 mai 2010 17:01:36, Luis Daniel Lucio Quiroz a écrit :
>> Hi all
>> 
>> i have this scenario
>> 
>> client -> squid1 -> squid2 -> internet
>> 
>> what do i need to stop the xff header so pages like www.whatismyip.org
>> doesnt show that header.
>> 
>> I dont wnat to turn off x-forward because squid2 has an icap server and
>> it
>> needs that header.   I also has tried this configuration
>> 
>> acl localnet 192.168.0.0/16 (and all networks i'm prety sure are local,
>> including squid1 and squid2 ips)
>> forwarded_for on
>> follow_x_forwarded_for allow localnet
>> follow_x_forwarded_for deny all
>> 
>> how ever headder is still preset
>> 
>> any advice?
>> 
>> LD
> 
> as i read here
> http://www.squid-cache.org/Doc/config/forwarded_for/
> 
> if i put delete or truncate
> the xff header alteration is before or after  doing the icap revision?
> 
> LD

At the point the requests is cloned to be sent to the remote Server. I
think ICAP happens before that.

Some other related stuff:
 Squid sends X-Client-IP for ICAP to use. The result of
follow_x_forwarded_for is sent in there if trusted. If it's not being used
there is no point in doing follow_x_forwarded_for in the first place.

Also, trusting your end-user browser to set XFF headers correctly is a
huge mistake. There are popular plugins and apps to trivially forge it. The
only machines in your scenario which you can trust are your squid1 and
squid2, maybe the ICAP server.

Amos

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux