[squid-users] Using and trusting remote client IP address via upstream proxy
Amos Jeffries
squid3 at treenet.co.nz
Sat Jan 11 04:35:53 UTC 2025
On 10/01/25 10:33, Orion Poplawski wrote:
> On 1/9/25 02:03, Stephen Borrill wrote:
>> On 08/01/2025 23:33, Orion Poplawski wrote:
>
>> You could also try adding forwardedfor = yes in e2guardian.conf along with
>> follow_x_forwarded_for in your squid configuration.
>
> I set that in e2guardian.conf and in squid.conf I ended up with:
>
> # Trust X-Forwarded-For from local e2g connections
> follow_x_forwarded_for allow localhost
This is fine, assuming that e2guardian is connecting to Squid *from*
localhost IP.
> follow_x_forwarded_for allow localnet
This you should not do. It will allow any client on your LAN to make
Squid log any fake IP they want.
If e2guardian is contacting Squid *from* a LAN IP address you should
create an ACL containing only that IP for the XFF allow action.
Cheers
Amos
More information about the squid-users
mailing list