Laurent,
On Wed, 22 Jan 2003, Laurent HENRY wrote:
> To answer Neal, if the provider would want to accept my proxy all would be
> easier you are right, but he insists on his system of per-IP licence !
In that case, question him how he would handle a Unix box with multiple
users (e.g. multiple X terminals served from it)... That would give the
same problem.
IP based security in this instance is too much hassle. Presumably you
have to be on a permanent connection, dial-up users would not be able to
access the service since most ISPs do not allocate static addresses...
Neil.
> Le Mercredi 22 Janvier 2003 15:24, vous avez écrit :
> > Laurent HENRY wrote:
> > > I mean it works using the remote application and passing by the proxy.
> > > so i guess it passes by the proxy but the end application doesn't see the
> > > proxy address and know it is for one of it registred client.
> >
> > Yes, that is normal because ip-wise, if SQUID is-in-place
> > then any packet has source ip address of the proxy.
> > It was discussed in the past , whether squid could forge
> > the ip address of the client in the ip packet.
> >
> > This of course , is impossible , because if
> > you look at the network stack, it is an application.
> > Meaning that is has no access to ip source and destionation field
> > in an ip packet.
> >
> > M.
> >
> > > in my squid.conf :
> > > forwarded_for on
> > >
> > > Le Mercredi 22 Janvier 2003 15:01, Marc Elsen a écrit :
> > > > Laurent HENRY wrote:
> > > > > Hi,
> > > > > thank you for your answer. Unfortunately, i told them the same but
> > > > > they don't seem to give a damn about my complains.
> > > > > What i don't understand is what (without any special squid
> > > > > configuration) it works with some workstations (Win$) and some not at
> > > > > all(MacOs/Linux).
> > > >
> > > > Not sure what you mean by 'it works' here, you mean just Internet
> > > > access or using the remote application ?
> > > >
> > > > > Can you tell me more about the X-Forward and the use of it in this
> > > > > particular bad case ?
> > > >
> > > > From squid.conf.default
> > > >
> > > >
> > > > # TAG: forwarded_for on|off
> > > > # If set, Squid will include your system's IP address or name
> > > > # in the HTTP requests it forwards. By default it looks like
> > > > # this:
> > > > #
> > > > # X-Forwarded-For: 192.1.2.3
> > > > #
> > > > # If you disable this, it will appear as
> > > > #
> > > > # X-Forwarded-For: unknown
> > > > #
> > > > #Default:
> > > > # forwarded_for on
> > > >
> > > > It remains at the discretion of the remote webserver to use that info,
> > > > but as stated, it would probably be very easy to work around such
> > > > auth schemes.
> > > >
> > > > > Le Mercredi 22 Janvier 2003 14:27, vous avez écrit :
> > > > > > Laurent HENRY wrote:
> > > > > > > hi,
> > > > > > >
> > > > > > > i come back on an old topic i found in the archives of the
> > > > > > > mailing list, a thread named "Passthrough TCP/IP address".
> > > > > > > I'm facing exactly the same problem now and i don't know how to
> > > > > > > resolve it.
> > > > > > >
> > > > > > > Some of the client of my network need to connect to a website
> > > > > > > using an IP address access lists (for a paying subscription).
> > > > > > > My clients can't have Internet access without the proxy, so i
> > > > > > > can't give them direct access to the site and bypass the squid as
> > > > > > > told in the thread. The foreign webserver wants to see the IP of
> > > > > > > the client and only get the IP of my proxy, so they are refused.
> > > > > > > Can i configure the proxy to make something resolving the
> > > > > > > problem ?
> > > > > > >
> > > > > > > This case is very hard to understand for me because some client
> > > > > > > systems seems to actually pass through and some not;this without
> > > > > > > any action from me...
> > > > > >
> > > > > > Tell the remote server (service), to look at the X-Forwarded-for
> > > > > > field in the http request send by out.
> > > > > > Usage of this header is controlled in squid.conf.
> > > > > >
> > > > > > Anyway, we were faced with similar problems in the past : modern
> > > > > > webserver will use authentication based upon usernames/password
> > > > > > etc.
> > > > > >
> > > > > > Why , because i a higher level application should use high level
> > > > > > authentication schemes (tell them that :-).
> > > > > >
> > > > > > IP in the current internet world is being hacked-around all the
> > > > > > time, NAT-ing , routers+NAT, Firewall-NAT , etc. can make in this
> > > > > > world that any ip address can 'represent' many hosts.
> > > > > >
> > > > > > So they are simply implementing poor auth. schemes,...
> > > > > >
> > > > > > M.
>
-- Neil Hillard hillardn@whl.co.uk Westland Helicopters Ltd. http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.Received on Wed Jan 22 2003 - 10:14:54 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:47 MST