Re: Original header forwarding.

From: Christopher Davis <>
Date: 08 Sep 1997 09:25:22 -0400

WK> == Walter Klomp <>

 WK> Is it possible for squid to forward the original requester
 WK> (end-user) address in the REMOTE_ADDR field of a HTTP request, and
 WK> if so, how is it done? I.e. how do I read this (new) variable in my
 WK> cgi-bin script if the requester goes though proxy?

The REMOTE_ADDR variable is set by the HTTP server to equal the address
it's actually connected to; this will be the proxy server when one is in
use. Different proxies may send the original client's address in an
HTTP header, but any such assertion supplied over the connection should
not be used for authentication or access control in ANY WAY; it's
trivial to lie about. (Some proxies are configured not to give the
information out anyway; squid can do this, for example.)

 WK> I am asking this question because I think this is a good feature to
 WK> have and it will solve problems like or other cgi-bin
 WK> scripts which look at the originating address and act accordingly.

The originating address itself is not suitable for authentication; it's
too easily spoofed. If browser authors were less interested in flashy
features, they'd have implemented digest authentication by now, and we
could just use that for a much stronger form of authentication; as it
is, either SSL (overkill) or Basic authentication (easily snooped) are
the only two usable options.
Received on Mon Sep 08 1997 - 06:31:16 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:36:56 MST