Hi,
On Thu, 18 Jan 2001, Awie wrote:
> Thanks M. Yu ! My main concern is how to expose our client's IP to internet
> although their request is through Squid.
>
> My IX (Internet eXchange) is also use Squid (even version 1.x). If I check
> the IP that I use, it is MINE ! So, I think that M. Yu is right.
>
> Folk, is there a setting to do that M. Yu explain?
Let me explain how a browser and a proxy interact. Let's assume we are
trying to get to www.squid-cache.org.
1. No proxy/cache configured in browser.
o user types: http://www.squid-cache.org/index.html
o browser connects to www.squid-cache.org
o browser sends "GET /index.html HTTP/1.0" followed by
some HTTP headers to the server
There is only one TCP connection: from the browser to the server.
Therefore the server sees the browser IP in the connection and the browser
sees the server.
2. Now lets configure a proxy in the browser
o user types: http://www.squid-cache.org/index.html
o browser consults its proxy configuration
o browser connects to proxy
o browser sends "GET http://www.squid-cache.org/index.html HTTP/1.0" plus
some HTTP headers to the proxy.
o proxy connects to www.squid-cache.org
o proxy sends "GET /index.html HTTP/1.0" plus some HTTP headers to the
server
Now you can see there are TWO connections: browser-proxy and proxy-server.
The browser never sees the server and the server never sees the browser.
When the proxy sends the "GET ..." plus headers, it can do what it likes
to the headers passed in by the browser. It can ignore them totally, it
can add to them, it can leave some out. M. Yu (I believe) was referring to
the option where the proxy will insert an HTTP header which has the client
IP address in it. The server can use that for logging but it is NOT the
address it sees in the IP packets.
There are a number of good reasons why it is pointless having the proxy
send packets with the IP address of the client browser as the source
IP. The main one is the proxy would then be useless cos the server would
send the packets back to the client, not the proxy.
Colin
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Wed Jan 17 2001 - 20:58:07 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:29 MST