Re: [squid-users] squidclient -follow_x_forwarded_for

From: Alejandro Martinez <amartinez_at_equital.com.uy>
Date: Tue, 28 Apr 2009 08:20:02 -0300

Thanks for your reply.

Where can I find some info about squidclient x_forwarded ?

Maybe asking in squid-dev ?

Chris Robertson wrote:
> Alejandro Martinez wrote:
>> Hi,
>>
>> This is my first post.
>>
>> I have two proxies
>>
>> Network(Users) ------------- > ProxyA (sibling)
>> --------------> ProxyB (parent)
>>
>>
>> In proxyA I have:
>> forwarded_for on
>>
>> In ProxyB I have:
>> follow_x_forwarded_for allow all
>
> This should NOT be an allow all. Since you only have one child proxy,
> you should only allow follow_x_forwarded_for for that specific IP.
>
> acl childProxy src 192.168.18.92
> follow_x_forwarded_for allow childProxy
>
>> acl_uses_indirect_client on
>> log_uses_indirect_client on
>> delay_pool_uses_indirect_client on
>>
>> ProxyA - Squid Cache: Version 2.5.STABLE14
>> configure options: --build=i686-redhat-linux-gnu
>> --host=i686-redhat-linux-gnu --target=i386-redhat-linux-gnu
>> --program-prefix= --prefix=/usr --exec-prefix=/usr
>> --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
>> --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib
>> --libexecdir=/usr/libexec --localstatedir=/var
>> --sharedstatedir=/usr/com --mandir=/usr/share/man
>> --infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin
>> --libexecdir=/usr/lib/squid --localstatedir=/var
>> --sysconfdir=/etc/squid --enable-poll --enable-snmp
>> --enable-removal-policies=heap,lru
>> --enable-storeio=aufs,coss,diskd,null,ufs --enable-ssl
>> --with-openssl=/usr/kerberos --enable-delay-pools
>> --enable-linux-netfilter --with-pthreads
>> --enable-ntlm-auth-helpers=SMB,winbind
>> --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group
>> --enable-auth=basic,ntlm --with-winbind-auth-challenge
>> --enable-useragent-log --enable-referer-log
>> --disable-dependency-tracking --enable-cachemgr-hostname=localhost
>> --enable-ident-lookups --enable-truncate --enable-underscores
>> --datadir=/usr/share
>> --enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,winbind
>> --enable-fd-config --enable-arp-acl
>>
>>
>> ProxyB - Squid Cache: Version 2.6.STABLE22
>> configure options: '--enable-ssl'
>> '--enable-follow-x-forwarded-for' '--enable-delay-pools'
>> '--enable-arp-acl' '--enable-linux-netfilter'
>>
>>
>>
>> My problem is, I can see the original IP of the users in access.log,
>> but when I do a "squidclient -U user -W password mgr:active_requests"
>> (in ProxyB) I only see one entry
>>
>>
>> HTTP/1.0 200 OK
>> Server: squid/2.6.STABLE22
>> Date: Mon, 23 Mar 2009 21:07:15 GMT
>> Content-Type: text/plain
>> Expires: Mon, 23 Mar 2009 21:07:15 GMT
>> Last-Modified: Mon, 23 Mar 2009 21:07:15 GMT
>> X-Cache: MISS from proxyE1.equital.com
>> Via: 1.0 proxyE1.equital.com:3128 (squid/2.6.STABLE22)
>> Proxy-Connection: close
>>
>> Connection: 0x8f1bfd0
>> FD 12, read 117, wrote 0
>> FD desc: cache_object://localhost/active_requests
>> in: buf 0x8f33cf8, offset 0, size 4096
>> peer: 127.0.0.1:33086
>> me: 127.0.0.1:3128
>> nrequests: 1
>> defer: n 0, until 0
>> uri cache_object://localhost/active_requests
>> log_type TCP_MISS
>> out.offset 0, out.size 0
>> req_sz 117
>> entry 0x8f22dc8/82AFF239F7FDD8D3ED9A797B5AEE2340
>> old_entry (nil)/N/A
>> start 1237842435.324518 (0.000000 seconds ago)
>> username -
>> delay_pool 0
>>
>> squidclient can't see the forwarded address of the clients ? I'm
>> missing something ?
>
> At this time there was just one active request, that being the Squid
> client (on localhost) requesting information about active requests...
> I have no idea if the cache_manager menu honors the X-Forwarded-For
> header, but I would imagine not. The active_requests list includes
> port numbers, and so probably uses the raw TCP connection data.
>
>> Thanks a lot
>
> Chris
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 4030 (20090423) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
Received on Tue Apr 28 2009 - 11:20:25 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 29 2009 - 12:00:02 MDT