Michael Portz wrote:
> Am 19.01.2010 um 09:06 schrieb Amos Jeffries:
>
>> Michael Portz wrote:
>>> My scenario is the following:
>>>
>>> The original accesses from our LAN hit on the first-level squid.
>>> Doing some basic load-balancing the requests are forwarded to several
>>> parent-squids. Each of these contact various ICAP-servers for
>>> modifications of the request.
>>>
>>> The problem: several decisions of the ICAP-server should be based on
>>> the original clients IP-address. Alas, given the scenario above, it
>>> only can be based on the outgoing IP address of the first-level
>>> proxy. The configuration option follow_x_forwarded_for does right the
>>> thing, but "only" access_control, delay pools and logging are
>>> explicitly stated as applications. Does it work for icap, too? Or is
>>> something like this in the development queue?
>>>
>>> The all-over squid version is 3.0.STABLE21.
>>>
>>> Regards Michael
>> Strange. 3.0 does not even have a follow_x_forwarded_for option. That
>> was added to Squid-3.1.
>>
>> The one in 3.1 has several known problems such as the ICAP lack you
>> cite. http://bugs.squid-cache.org/show_bug.cgi?id=2731
>> I'm hoping to fix XFF by next release. Certainly before it goes stable.
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
>> Current Beta Squid 3.1.0.15
>
> Great!
>
> I am new to the list but my experience from elsewhere is, that if you
> don't mention the version, half of the replies to your posting is "what version
> are you using" so I usually include this bit of information, regardless of its
> importance to the contents of the posting :-)
>
> Thanks for your answer and for the pointer, your answer saves me setting
> up a 3.1 just for finding out; not sure I understood you correctly though,
> so allow for one more question: Does Wolfgangs patch
>
> - work?
> - nearly work?
> - is still too buggy to use?
Nearly. It does send the XFF result IP to ICAP like it is supposed to.
The other problems in XFF means that the result IP may not always be
what you want. the direct client IP is not checked and Squid 'fails'
partially trusted chains when it should not.
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 Current Beta Squid 3.1.0.15Received on Tue Jan 19 2010 - 09:00:12 MST
This archive was generated by hypermail 2.2.0 : Tue Jan 19 2010 - 12:00:03 MST