HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
X-Forwarded-For http://havp.hege.li/forum/viewtopic.php?f=3&t=238 |
Page 1 of 1 |
Author: | theologu [ 15 May 2007 13:30 ] |
Post subject: | X-Forwarded-For |
Hello! I want to use Havp--->Squid setup, but in squid logs appears only 127.0.0.1. In Havp i have: FORWARDED_IP true X_FORWARDED_FOR true There is any option that I must put in squid.conf to "see" the real IPs? Also I am planning to use ntlm authentication for squid, is it possible in this setup? Thanks |
Author: | hege [ 15 May 2007 14:14 ] |
Post subject: | |
configure --enable-follow-x-forwarded-for follow_x_forwarded_for log_uses_indirect_client From squid.conf.default: # TAG: follow_x_forwarded_for # Note: This option is only available if Squid is rebuilt with the # -DFOLLOW_X_FORWARDED_FOR option # # Allowing or Denying the X-Forwarded-For header to be followed to # find the original source of a request. # # Requests may pass through a chain of several other proxies # before reaching us. The X-Forwarded-For header will contain a # comma-separated list of the IP addresses in the chain, with the # rightmost address being the most recent. # # If a request reaches us from a source that is allowed by this # configuration item, then we consult the X-Forwarded-For header # to see where that host received the request from. If the # X-Forwarded-For header contains multiple addresses, and if # acl_uses_indirect_client is on, then we continue backtracking # until we reach an address for which we are not allowed to # follow the X-Forwarded-For header, or until we reach the first # address in the list. (If acl_uses_indirect_client is off, then # it's impossible to backtrack through more than one level of # X-Forwarded-For addresses.) # # The end result of this process is an IP address that we will # refer to as the indirect client address. This address may # be treated as the client address for access control, delay # pools and logging, depending on the acl_uses_indirect_client, # delay_pool_uses_indirect_client and log_uses_indirect_client # options. # # SECURITY CONSIDERATIONS: # # Any host for which we follow the X-Forwarded-For header # can place incorrect information in the header, and Squid # will use the incorrect information as if it were the # source address of the request. This may enable remote # hosts to bypass any access control restrictions that are # based on the client's source addresses. # # For example: # # acl localhost src 127.0.0.1 # acl my_other_proxy srcdomain .proxy.example.com # follow_x_forwarded_for allow localhost # follow_x_forwarded_for allow my_other_proxy # #Default: # follow_x_forwarded_for deny all |
Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |