[squid-users] follow_x_forwarded_for to get client ip instead of sibling proxy
robert k Wild
robertkwild at gmail.com
Thu Jan 16 17:05:07 UTC 2020
hi Alex,
thanks for the notes
so my child proxy, i have added -
#forward clients IP
forwarded_for on
and my parent -
acl my_other_proxy srcdomain 10.110.130.80
follow_x_forwarded_for allow my_other_proxy
log_uses_indirect_client on
but in my parent logs, im still getting the ip of the child proxy?
On Thu, 16 Jan 2020 at 16:47, Alex Rousskov <
rousskov at measurement-factory.com> wrote:
> On 1/16/20 9:59 AM, robert k Wild wrote:
>
> > i have two proxies (one sibling going to a parent)
>
> FYI: "siblings" are proxies that fetch hits from each other. The proxy
> "going to the parent" is usually called a "child" proxy:
>
> clients -> child -> parent -> servers
>
>
> > when i look at the parent proxy access logs, it just logs the ip address
> > of the sibling proxy
> >
> > if i add the lines below in my sibling proxy
> >
> > acl localhost src 127.0.0.1
> > acl my_other_proxy srcdomain .proxy.example.com
> > follow_x_forwarded_for allow localhost
> > follow_x_forwarded_for allow my_other_proxy
> >
> > when i next look at the logs, will it show the ip of my clients?
>
>
> No, it will not (by default) AFAICT. For the parent proxy logs to
> contain IP addresses of the clients,
>
> a) The child proxy must send the X-Forwarded-For header to the parent.
> b) The parent proxy must trust X-Forwarded-For received from the child
> (as far as logging is concerned).
>
> Your configuration changes at the child proxy do neither (a) nor (b).
>
> IIRC, (a) will happen by default, while (b) requires
> follow_x_forwarded_for and log_uses_indirect_client rules at the parent
> proxy.
>
> I did not review your follow_x_forwarded_for rules.
>
> The follow_x_forwarded_for rules at the child proxy are needed if and
> only if you want the child proxy to trust the X-Forwarded-For headers
> received by that child proxy (from its clients). That is only necessary
> in deeper hierarchies:
>
> clients -> child1 -> child2 -> parent
>
> Alex.
>
--
Regards,
Robert K Wild.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200116/7e5d9150/attachment.html>
More information about the squid-users
mailing list