Search squid archive

Re: follow_x_forwarded_for to get client ip instead of sibling proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

hi Alex,

thanks for the notes

so my child proxy, i have added -

#forward clients IP
forwarded_for on

and my parent -

acl my_other_proxy srcdomain 10.110.130.80
follow_x_forwarded_for allow my_other_proxy
log_uses_indirect_client on

but in my parent logs, im still getting the ip of the child proxy?

On Thu, 16 Jan 2020 at 16:47, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 1/16/20 9:59 AM, robert k Wild wrote:

> i have two proxies (one sibling going to a parent)

FYI: "siblings" are proxies that fetch hits from each other. The proxy
"going to the parent" is usually called a "child" proxy:

    clients -> child -> parent -> servers


> when i look at the parent proxy access logs, it just logs the ip address
> of the sibling proxy
>
> if i add the lines below in my sibling proxy
>
> acl localhost src 127.0.0.1
> acl my_other_proxy srcdomain .proxy.example.com
> follow_x_forwarded_for allow localhost
> follow_x_forwarded_for allow my_other_proxy
>
> when i next look at the logs, will it show the ip of my clients?


No, it will not (by default) AFAICT. For the parent proxy logs to
contain IP addresses of the clients,

a) The child proxy must send the X-Forwarded-For header to the parent.
b) The parent proxy must trust X-Forwarded-For received from the child
   (as far as logging is concerned).

Your configuration changes at the child proxy do neither (a) nor (b).

IIRC, (a) will happen by default, while (b) requires
follow_x_forwarded_for and log_uses_indirect_client rules at the parent
proxy.

 I did not review your follow_x_forwarded_for rules.

The follow_x_forwarded_for rules at the child proxy are needed if and
only if you want the child proxy to trust the X-Forwarded-For headers
received by that child proxy (from its clients). That is only necessary
in deeper hierarchies:

    clients -> child1 -> child2 -> parent

Alex.


--
Regards,

Robert K Wild.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux