Re: Passthrough TCP/IP address from Jonathan Larmour on 1997-01-28 (squid-users)

From: Jonathan Larmour <JLarmour@dont-contact.us>
Date: Tue, 28 Jan 1997 20:33:46 +0000

At 01:15 28/01/97 +0100, Mark Visser wrote:
>On Tue, 28 Jan 1997, Simon Amor wrote:
>
>> On Jan 28, Mark Visser wrote:
>> > On Wed, 22 Jan 1997, Duane Wessels wrote:
>> > >
>> > > X-Forwarded-For request header
>> >
>> > Sorry..i'm not running squid for such a long time (just 4 weeks now), but
>> > we have some protected pages on WWW (protected by iprange), and now

Do be aware that some IP addresses can be spoofed if its just random hosts
out in the big wide internet - if your documents are _really_ sensitive,
don't trust it. Its good enough in general admittedly.

>> > ..since people are using the proxyserver, they are always denied access,
>> > because the adress the www server gets is the ipadress of the
proxyserver,
>> > squid, and not the adress of the 'real asker'.
>> >
>> Use a proxy auto-configuration script or just enter the web server's
>> name into the 'No proxy for' box in the browser (assuming it has one)
>
>Ok...that's one solution, but...when there are a lot of servers with such
>ip protected pages, you cannot exclude them all...that was the problem. I
>already thought of excluding certain adresses from the proxy. And now when
>i read about the X-Forwarder-For header..i thought it might be possible to
>let everything go through the cache, will the header preserves the
>original ip-adress somehow...

The web server gets the information that its from the proxy not from any of
the HTTP headers, but from asking the TCP layer what IP address it is
connected to. This cannot be changed and still use the proxy!

Maybe, if you are in control of the server and the proxy, then deny access
to everyone but the proxy for those pages, thus forcing your users to use
your proxy to access those pages. Then configure _squid_ with the same type
of ACLs so that only the requisite users can get to it.

Or you could configure your http server to protect the pages with
authentication rather than IP address checks. Most browsers and half-decent
servers support it.

Jonathan L.
Origin UK,323 Cambridge Science Park,Cambridge,England. Tel: +44(1223)423355
------[ Do not think that every sad-eyed woman has loved and lost... ]------
April 12th! Ra!Ra!----[ she may have got him. -Anon ]-----April 12th! Ra!Ra!
Help fight spam! http://www.vix.com/spam These opinions are all my own fault
Received on Tue Jan 28 1997 - 12:56:58 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:34:12 MST