Squid configuration directive proxy_protocol_access

Available in: 4   3.5  

History:

Changes to proxy_protocol_access in Squid-3.5:

New directive to control which clients are permitted to open PROXY protocol connections on a port flagged with require-proxy-header.

This directive is not available in the 3.4 version of Squid.

For older versions than 3.3 see the linked pages above

Configuration Details:

Option Name:proxy_protocol_access
Replaces:
Requires:
Default Value:all TCP connections to ports with require-proxy-header will be denied
Suggested Config:

	Determine which client proxies can be trusted to provide correct
	information regarding real client IP address using PROXY protocol.

	Requests may pass through a chain of several other proxies
	before reaching us. The original source details may by sent in:
		* HTTP message Forwarded header, or
		* HTTP message X-Forwarded-For header, or
		* PROXY protocol connection header.

	This directive is solely for validating new PROXY protocol
	connections received from a port flagged with require-proxy-header.
	It is checked only once after TCP connection setup.

	A deny match results in TCP connection closure.

	An allow match is required for Squid to permit the corresponding
	TCP connection, before Squid even looks for HTTP request headers.
	If there is an allow match, Squid starts using PROXY header information
	to determine the source address of the connection for all future ACL
	checks, logging, etc.

	SECURITY CONSIDERATIONS:

		Any host from which we accept client IP details can place
		incorrect information in the relevant header, and Squid
		will use the incorrect information as if it were the
		source address of the request.  This may enable remote
		hosts to bypass any access control restrictions that are
		based on the client's source addresses.

	This clause only supports fast acl types.
	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.

 

Back

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors