On Tue, 4 May 2010 17:06:38 -0500, Luis Daniel Lucio Quiroz <luis.daniel.lucio@xxxxxxxxx> wrote: > Le mardi 4 mai 2010 17:01:36, Luis Daniel Lucio Quiroz a écrit : >> Hi all >> >> i have this scenario >> >> client -> squid1 -> squid2 -> internet >> >> what do i need to stop the xff header so pages like www.whatismyip.org >> doesnt show that header. >> >> I dont wnat to turn off x-forward because squid2 has an icap server and >> it >> needs that header. I also has tried this configuration >> >> acl localnet 192.168.0.0/16 (and all networks i'm prety sure are local, >> including squid1 and squid2 ips) >> forwarded_for on >> follow_x_forwarded_for allow localnet >> follow_x_forwarded_for deny all >> >> how ever headder is still preset >> >> any advice? >> >> LD > > as i read here > http://www.squid-cache.org/Doc/config/forwarded_for/ > > if i put delete or truncate > the xff header alteration is before or after doing the icap revision? > > LD At the point the requests is cloned to be sent to the remote Server. I think ICAP happens before that. Some other related stuff: Squid sends X-Client-IP for ICAP to use. The result of follow_x_forwarded_for is sent in there if trusted. If it's not being used there is no point in doing follow_x_forwarded_for in the first place. Also, trusting your end-user browser to set XFF headers correctly is a huge mistake. There are popular plugins and apps to trivially forge it. The only machines in your scenario which you can trust are your squid1 and squid2, maybe the ICAP server. Amos
