RE: [squid-users] Reverse proxy IP not passing through

Micah,

I've had to deal with that situation a few times, the solution is quite
simple.

Recompile squid with this option if you haven't done it so far "
--enable-follow-x-forwarded-for"

Add these lines to your squid.conf:

forwarded_for on
follow_x_forwarded_for allow all

Basically what this does is forwards the client IP to the origin server on a
reverse proxy setup

Now, the client IP will be passed through the headers to the origin server
but you need to do some work on apache to be able to fetch those.
Unfortunately apache discussions are beyond the scope of this list, I
suggest you look into rewrite rules, I have the same setup working like a
charm with rewrites.

Hope it helps
Saul W.

-----Original Message-----
From: news [mailto:news@ger.gmane.org] On Behalf Of Micah Anderson
Sent: Wednesday, March 12, 2008 5:49 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Reverse proxy IP not passing through

I upgraded my squid to 2.6 and re-did the configs, everything is working
with the exception of one problem, the old version used to pass the
visitor's IP back to the webserver, but now it just passes the squid
host's IP. I need the requesting IP for some CGI's to work, at the
moment they think that my host is the only one hitting them :O

I used to accomplish this with httpd_accel_uses_host_header and I
understand that this has been replaced in the newer 2.6 versions, but as
you can see from my configuration below, I've made that change.

I've got apache running on port 81 of the same server and if I hit the
webserver itself, it sees the IPs correctly, its just when squid passes
them on. I'm using 2.6.18 backport on debian etch.

Here is my squid.conf, with some ips/domains munged to protect the
innocent, thanks for any ideas!

Micah

http_port 214.132.104.148:80 defaultsite=mydomain.com:80 vhost vport
cache_peer 214.132.104.148 parent 81 0 no-query originserver default
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
acl QUERY urlpath_regex download \?
acl QUERY urlpath_regex trackback \?
acl QUERY urlpath_regex email \?
acl QUERY urlpath_regex review \?
acl QUERY urlpath_regex proposals \?
acl QUERY urlpath_regex submit \?
acl QUERY urlpath_regex admin \?
acl QUERY urlpath_regex prerelease \?
acl POSTS method POST
no_cache deny POSTS
no_cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_swap_low 92
cache_swap_high 96
cache_dir aufs /var/spool/squid 100 16 256
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh %{Host}>h
access_log /var/log/squid/access.log combined
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
read_timeout 10 minutes
request_timeout 20 seconds
pconn_timeout 10 seconds
redirect_children 20
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl green src 214.132.104.148/255.255.255.255
acl SSL_ports port 443
acl SSL_ports port 563
acl SSL_ports port 873
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
http
acl Safe_ports port 631
acl Safe_ports port 873
acl Safe_ports port 901
acl purge method PURGE
acl CONNECT method CONNECT
acl IMAGES urlpath_regex .jpg$
acl IMAGES urlpath_regex .gif$
acl IMAGES urlpath_regex .swf$
acl IMAGES urlpath_regex .ico$
acl IMAGES urlpath_regex .png$
http_access allow purge green
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_access deny all
icp_access deny ALL
ident_lookup_access deny all
http_access allow green
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_group proxy
delay_pools 1
delay_class 1 1
delay_access 1 allow all
delay_parameters 1 128000/128000 # 512 kbits == 64 kbytes per
second, 1Mbit/sec=128kbytes
strip_query_terms off
coredump_dir /var/spool/squid

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.518 / Virus Database: 269.21.7/1325 - Release Date: 3/11/2008
1:41 PM
 

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.519 / Virus Database: 269.21.7/1328 - Release Date: 3/13/2008
11:31 AM
 

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.519 / Virus Database: 269.21.7/1329 - Release Date: 3/14/2008
12:33 PM
 
Received on Fri Mar 14 2008 - 14:28:20 MDT