[squid-users] follow_x_forwarded_for to get client ip instead of sibling proxy

Alex Rousskov rousskov at measurement-factory.com
Thu Jan 16 16:47:54 UTC 2020

On 1/16/20 9:59 AM, robert k Wild wrote:

> i have two proxies (one sibling going to a parent)

FYI: "siblings" are proxies that fetch hits from each other. The proxy
"going to the parent" is usually called a "child" proxy:

    clients -> child -> parent -> servers

> when i look at the parent proxy access logs, it just logs the ip address
> of the sibling proxy
> if i add the lines below in my sibling proxy
> acl localhost src
> acl my_other_proxy srcdomain .proxy.example.com
> follow_x_forwarded_for allow localhost
> follow_x_forwarded_for allow my_other_proxy
> when i next look at the logs, will it show the ip of my clients?

No, it will not (by default) AFAICT. For the parent proxy logs to
contain IP addresses of the clients,

a) The child proxy must send the X-Forwarded-For header to the parent.
b) The parent proxy must trust X-Forwarded-For received from the child
   (as far as logging is concerned).

Your configuration changes at the child proxy do neither (a) nor (b).

IIRC, (a) will happen by default, while (b) requires
follow_x_forwarded_for and log_uses_indirect_client rules at the parent

 I did not review your follow_x_forwarded_for rules.

The follow_x_forwarded_for rules at the child proxy are needed if and
only if you want the child proxy to trust the X-Forwarded-For headers
received by that child proxy (from its clients). That is only necessary
in deeper hierarchies:

    clients -> child1 -> child2 -> parent


More information about the squid-users mailing list