[squid-users] Using and trusting remote client IP address via upstream proxy

Orion Poplawski orion at nwra.com
Thu Jan 9 21:33:27 UTC 2025 

On 1/9/25 02:03, Stephen Borrill wrote:
> On 08/01/2025 23:33, Orion Poplawski wrote:
>> We use e2guardian and squid in a combined method were requests can either go
>> to e2guardian first and get forwarded to squid, or go directly to squid.
>>
>> I would like to be able to have squid allow connections for certain remote
>> client IPs without requiring authentication.  However, the connections that
>> come in through e2guardian appear to squid as coming from localhost.  Is there
>> a way that e2guardian could pass the IP address of the client on to squid?
> 
> You don't say how you select between e2guardian and direct to squid.
> You could use e2guardian in ICAP mode, so that all clients go to squid first
> and then use acls to choose which requests go via e2guardian.

It ends up not really mattering I think for this application.

> You could also try adding forwardedfor = yes in e2guardian.conf along with
> follow_x_forwarded_for in your squid configuration.

I set that in e2guardian.conf and in squid.conf I ended up with:

# Trust X-Forwarded-For from local e2g connections
follow_x_forwarded_for allow localhost
follow_x_forwarded_for allow localnet
acl_uses_indirect_client on
log_uses_indirect_client off

# Do not pass X-Forwarded-For on
forwarded_for delete

And I added the forwarded-for to the log explicitly as I do still want to
distinguish between the direct and e2g proxied connections:

logformat squidlocal %{%Y-%m-%dT%H:%M:%S}tl.%03tu%{%z}tl %6tr %>a %Ss/%03>Hs
%<st %rm %ru %[un %Sh/%<a %mt %{X-Forwarded-For}>h

Thanks to you and Matus for the suggestions.

-- 
Orion Poplawski
he/him/his  - surely the least important thing about me
Manager of IT Systems                      720-772-5637
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4087 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250109/35096c41/attachment.bin>

More information about the squid-users mailing list