[squid-users] follow_x_forwarded_for to get client ip instead of sibling proxy

robert k Wild robertkwild at gmail.com
Thu Jan 16 17:23:18 UTC 2020 

Alex, you are AWESOME!!!!!!!!!!!!!!!!!!

On Thu, 16 Jan 2020 at 17:11, Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 1/16/20 12:05 PM, robert k Wild wrote:
> > hi Alex,
> >
> > thanks for the notes
> >
> > so my child proxy, i have added -
> >
> > #forward clients IP
> > forwarded_for on
>
>
> FYI: This is the default.
>
>
> > and my parent -
> >
> > acl my_other_proxy srcdomain 10.110.130.80
>
> If you identify your child proxy by its IP, then use src instead of
> srcdomain.
>
> Alex.
>
>
> > follow_x_forwarded_for allow my_other_proxy
> > log_uses_indirect_client on
> >
> > but in my parent logs, im still getting the ip of the child proxy?
>
>
>
> > On Thu, 16 Jan 2020 at 16:47, Alex Rousskov wrote:
> >
> >     On 1/16/20 9:59 AM, robert k Wild wrote:
> >
> >     > i have two proxies (one sibling going to a parent)
> >
> >     FYI: "siblings" are proxies that fetch hits from each other. The
> proxy
> >     "going to the parent" is usually called a "child" proxy:
> >
> >         clients -> child -> parent -> servers
> >
> >
> >     > when i look at the parent proxy access logs, it just logs the ip
> >     address
> >     > of the sibling proxy
> >     >
> >     > if i add the lines below in my sibling proxy
> >     >
> >     > acl localhost src 127.0.0.1
> >     > acl my_other_proxy srcdomain .proxy.example.com
> >     <http://proxy.example.com>
> >     > follow_x_forwarded_for allow localhost
> >     > follow_x_forwarded_for allow my_other_proxy
> >     >
> >     > when i next look at the logs, will it show the ip of my clients?
> >
> >
> >     No, it will not (by default) AFAICT. For the parent proxy logs to
> >     contain IP addresses of the clients,
> >
> >     a) The child proxy must send the X-Forwarded-For header to the
> parent.
> >     b) The parent proxy must trust X-Forwarded-For received from the
> child
> >        (as far as logging is concerned).
> >
> >     Your configuration changes at the child proxy do neither (a) nor (b).
> >
> >     IIRC, (a) will happen by default, while (b) requires
> >     follow_x_forwarded_for and log_uses_indirect_client rules at the
> parent
> >     proxy.
> >
> >      I did not review your follow_x_forwarded_for rules.
> >
> >     The follow_x_forwarded_for rules at the child proxy are needed if and
> >     only if you want the child proxy to trust the X-Forwarded-For headers
> >     received by that child proxy (from its clients). That is only
> necessary
> >     in deeper hierarchies:
> >
> >         clients -> child1 -> child2 -> parent
> >
> >     Alex.
> >
> >
> >
> > --
> > Regards,
> >
> > Robert K Wild.
>
>

-- 
Regards,

Robert K Wild.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200116/6937f29b/attachment.html>

More information about the squid-users mailing list