[squid-users] Supported configuration for adding origin server IP in response header

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 16 20:53:36 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17/10/2014 9:29 a.m., Darren Spruell wrote:
> On Thu, Oct 16, 2014 at 12:40 PM, Amos Jeffries
> <squid3 at treenet.co.nz> wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 17/10/2014 8:10 a.m., Darren Spruell wrote:
>>> Had a use case to ask about, apologies if I missed in docs. Is 
>>> there a configuration that allows squid running as forward
>>> proxy to add a custom response header containing the origin
>>> server IP address that served the resource? Assuming no cache
>>> hierarchy.
>>> 
>>> In the event that the resource is served from cache, would be 
>>> interesting if squid were able to track the IP address from
>>> which the cached resource was originally retrieved to include
>>> in responses. In the event that's not possible, then the IP
>>> address of the cache itself as well as an indication that the
>>> resource was served from cache rather than an upstream origin.
>>> 
>>> Most resources seem to cover including this information in the 
>>> access log, however I'm interested in having the data in the
>>> HTTP response for this case.
>>> 
>> 
>> IP address is not much useful in the response - any given machine
>> has multiple of those and they are also shared between anycast
>> servers or load balancers.
> 
> Usefulness (utility) is in the eye of the beholder. :)
> 
>> It is also a mistake to think of "the" server as being one
>> machine. It is becomming extremely popular to use CDN services
>> these days. CDN are reverse-proxy services in one form or
>> another. So "the" server may be a chain of servers on some path
>> through a server farm.
> 
> In my case, those abstractions are not significant. The goal is 
> determining, for a client behind a forward proxy, can the proxy
> simply inform the client of the IP address to which the proxy
> connected to fetch the resource? The IP address is the key data
> element for this case. Even with a CDN the IP address of the
> frontend is fine.
> 
>> 1) The Via header is closest to what you are seeking. In
>> responses it contains each servers FQDN or an unique alias. It is
>> supposed to contain a record of the whole chain of machines the
>> message traversed. - The problem is that a lot of admin disable
>> it or strip it out of the traffic. So you may get a proper chain
>> or only what your proxy is adding, with no easy way to identify
>> missing chain data.
> 
> I view the Via header as similar to the Received header in SMTP.
> In this case it's added by other proxies/caches, correct?

Thats a good analogy, but not quite. It MUST be added by all proxies
including Squid.

http://tools.ietf.org/html/rfc7230#section-5.7.1 paragraphs 3 and 5.

In squid.conf simply remove any "via off" you may have. The default is
to comply with the RFC "MUST send" criteria.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUQDBQAAoJELJo5wb/XPRjZqEH+QFbiYfRdd0t+ki+q6tN8TKQ
I5XLxJSrF+yoYjbHb1neJgu1Y2wwfU2cEUgaG5fJhAHpVrdk4/0PdmU6K5aFFs/M
8FD3mDd+Ur/Vwapc55G9GpCis9fr747Yz5mDuqgrSA7JHyHKENUxS09umCvdiB0a
VJmhxjhjOCZFc8Gj/qfvoz3orHwlNDY1ziMkCDIQW6pmwpi61yOust26faRq73yT
TnYKNHCaK9R/ZZ3bQlGQCiWMTdbYcBdD3bxnlG5TaB4xxyTIOxWj1WGmJ3l4Ho8P
gRbk2oNdMrNttXWCeGSt76XuymLY8oQ2RA4IToO1PQMO2QzsxfN1k+uE88pz+lk=
=FC/N
-----END PGP SIGNATURE-----

More information about the squid-users mailing list