<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Jun 13, 2017 at 3:15 AM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 13/06/17 18:14, David Kewley wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">This might be of help if you are not already aware of the risks and issues involved with spoofing and handling of non-local IPs; <<a href="http://www.bcp38.info/" rel="noreferrer" target="_blank">http://www.bcp38.info/</a>><br></blockquote></blockquote><div><br></div><div>I was aware of at least most of those issues, though I'm not an expert on them. So the reference is useful, thanks. </div><div><br></div><div>Our squid server will only accept connections from its internal IP spaces, and I only wanted it to spoof the actual client source IPs to make downstream decision making easier based on the IP headers (but X-Forwarded-For might be sufficient, as you pointed out). Also the actual egress point to the internet is a NAT device that always uses its external IP as the source IP. So I see zero risk of us leaking foreign spoofed source IP addresses.</div><div><br></div><div>I will take a look at our ingress filtering to make sure we're rejecting external inbound packets claiming to be from our internal network.</div><div><br></div><div>Do you see anything obvious I'm missing around what I should do for BCP38?</div><div><br></div><div>I'm taking seriously your warning about a significant performance impact. I'll be curious to see if similar issues impact our nginx reverse proxies that spoof the original source IP in the proxied connection. Makes sense it might.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Squid supports X-Forwarded-For fully - it was invented by Squid<br>
devs back in the day, and Squid is still the authoritative<br>
implementation for how it is supposed to work. As an old feature<br>
just about all other HTTP server and intermediary software have<br>
support for that too so you should have no issue pulling the data<br>
out at the receiving end, or in HTTP processing DPI software /<br>
firewalls etc. It is sent on all outgoing Squid messages unless<br>
you explicitly configure something else to happen with the<br>
forwarded_for directive.<br>
<<a href="http://www.squid-cache.org/Doc/config/forwarded_for/" rel="noreferrer" target="_blank">http://www.squid-cache.org/D<wbr>oc/config/forwarded_for/</a><br>
<<a href="http://www.squid-cache.org/Doc/config/forwarded_for/" rel="noreferrer" target="_blank">http://www.squid-cache.org/Do<wbr>c/config/forwarded_for/</a>>><br>
<br>
<br>
I'll ask the team managing the next-hop device to evaluate that possibility; it looks to me from the docs like it might work. Thanks for the suggestion.<br>
</blockquote>
<br></span>
That would be best if it works.<br>
<br>
I came up with a bodgy workaround using NAT after sending the earlier mail. So if there is no other way than delivering the client-IP on the packets there is still something that might be done. But, that would still run up against HTTP multiplexing and also add all sorts of NAT related issues as well. So only a last resort really.</blockquote><div><br></div><div>Thanks! I'll come back to you if I think that might be useful. For now I'll proceed with using squid in a more normal fashion, and work with the owners of our next-hop-device about using X-Forwarded-For for any decision making.</div><div><br></div><div>I will proceed assuming that squid will never support the sort of spoofing I was hoping for (since it would probably simplify things greatly for us), even though I believe in our design that spoofing would have been safe.</div></div><br></div><div class="gmail_extra">David</div></div>