On 1/9/25 02:03, Stephen Borrill wrote:
> On 08/01/2025 23:33, Orion Poplawski wrote:
>> We use e2guardian and squid in a combined method were requests can either go
>> to e2guardian first and get forwarded to squid, or go directly to squid.
>>
>> I would like to be able to have squid allow connections for certain remote
>> client IPs without requiring authentication. However, the connections that
>> come in through e2guardian appear to squid as coming from localhost. Is there
>> a way that e2guardian could pass the IP address of the client on to squid?
>
> You don't say how you select between e2guardian and direct to squid.
> You could use e2guardian in ICAP mode, so that all clients go to squid first
> and then use acls to choose which requests go via e2guardian.
It ends up not really mattering I think for this application.
> You could also try adding forwardedfor = yes in e2guardian.conf along with
> follow_x_forwarded_for in your squid configuration.
I set that in e2guardian.conf and in squid.conf I ended up with:
# Trust X-Forwarded-For from local e2g connections
follow_x_forwarded_for allow localhost
follow_x_forwarded_for allow localnet
acl_uses_indirect_client on
log_uses_indirect_client off
# Do not pass X-Forwarded-For on
forwarded_for delete
And I added the forwarded-for to the log explicitly as I do still want to
distinguish between the direct and e2g proxied connections:
logformat squidlocal %{%Y-%m-%dT%H:%M:%S}tl.%03tu%{%z}tl %6tr %>a %Ss/%03>Hs
%<st %rm %ru %[un %Sh/%<a %mt %{X-Forwarded-For}>h
Thanks to you and Matus for the suggestions.
--
Orion Poplawski
he/him/his - surely the least important thing about me
Manager of IT Systems 720-772-5637
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion@xxxxxxxx
Boulder, CO 80301 https://www.nwra.com/
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
