Search squid archive

Re: follow_x_forwarded_for to get client ip instead of sibling proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Alex, you are AWESOME!!!!!!!!!!!!!!!!!!

On Thu, 16 Jan 2020 at 17:11, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 1/16/20 12:05 PM, robert k Wild wrote:
> hi Alex,
>
> thanks for the notes
>
> so my child proxy, i have added -
>
> #forward clients IP
> forwarded_for on


FYI: This is the default.


> and my parent -
>
> acl my_other_proxy srcdomain 10.110.130.80

If you identify your child proxy by its IP, then use src instead of
srcdomain.

Alex.


> follow_x_forwarded_for allow my_other_proxy
> log_uses_indirect_client on
>
> but in my parent logs, im still getting the ip of the child proxy?



> On Thu, 16 Jan 2020 at 16:47, Alex Rousskov wrote:
>
>     On 1/16/20 9:59 AM, robert k Wild wrote:
>
>     > i have two proxies (one sibling going to a parent)
>
>     FYI: "siblings" are proxies that fetch hits from each other. The proxy
>     "going to the parent" is usually called a "child" proxy:
>
>         clients -> child -> parent -> servers
>
>
>     > when i look at the parent proxy access logs, it just logs the ip
>     address
>     > of the sibling proxy
>     >
>     > if i add the lines below in my sibling proxy
>     >
>     > acl localhost src 127.0.0.1
>     > acl my_other_proxy srcdomain .proxy.example.com
>     <http://proxy.example.com>
>     > follow_x_forwarded_for allow localhost
>     > follow_x_forwarded_for allow my_other_proxy
>     >
>     > when i next look at the logs, will it show the ip of my clients?
>
>
>     No, it will not (by default) AFAICT. For the parent proxy logs to
>     contain IP addresses of the clients,
>
>     a) The child proxy must send the X-Forwarded-For header to the parent.
>     b) The parent proxy must trust X-Forwarded-For received from the child
>        (as far as logging is concerned).
>
>     Your configuration changes at the child proxy do neither (a) nor (b).
>
>     IIRC, (a) will happen by default, while (b) requires
>     follow_x_forwarded_for and log_uses_indirect_client rules at the parent
>     proxy.
>
>      I did not review your follow_x_forwarded_for rules.
>
>     The follow_x_forwarded_for rules at the child proxy are needed if and
>     only if you want the child proxy to trust the X-Forwarded-For headers
>     received by that child proxy (from its clients). That is only necessary
>     in deeper hierarchies:
>
>         clients -> child1 -> child2 -> parent
>
>     Alex.
>
>
>
> --
> Regards,
>
> Robert K Wild.



--
Regards,

Robert K Wild.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux