On Tue, 10 Dec 2002, Henrik Nordstrom wrote:
> Hmm.. is there a reason to why you don't implement follow_xff where
> r->client_addr is assigned, instead of having to add conditions all
> over the place?
In the long run, I'd like individual acls to be able to choose whether
to use client_addr or indirect_client_addr, so both values should be
available. There's already an optional "-i" flag associated with the
srcdom_regex ACL type (meaning case-insensitive regexp patching), and
I could imagine something similar (perhaps "-f"?) to tell the src,
srcdomain and srcdom_regex ACL types to use the indirect client address.
I didn't need conditions all over the place when I first implemented
this in squid-2.4 (the test for acl_uses_indirect_client appeared only
in aclChecklistCreate()), but in squid-3 there seem to be several uses
of ACLs that don't go through aclChecklistCreate. Just before I saw
your message, I realised that they all go through aclMatchAclList(), so
I should be able to put a test there instead of many tests scattered all
over the place.
> My understanding of what you are trying to do is that you want to
> trust X-Forarded-For in certain conditions to contain the real client
> address. To me it then feels natural to have this in r->client_addr
> while the request is processed.
Yes, I thought so too at first, and my first attempt (in a private
source tree) did that, but later I thought that it made more sense for
different users of the information to be able to decide which address to
use; hence that log_uses_indirect_client, acl_uses_indirect_client and
delay_pool_uses_indirect_client options.
--apb (Alan Barrett)
Received on Tue Dec 10 2002 - 04:53:57 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:00 MST