On Mon, 15 Feb 2010 13:15:35 -0430, Jose Ildefonso Camargo Tolosa
<ildefonso.camargo_at_gmail.com> wrote:
> Hi!
>
> I really don't understand why are you, people, so insistent on the
> "x-forwarded-for" thing..... it has nothing to do with authentication,
> unless you use IP as part of your ACLs, off course.
You mean such as little 'unimportant' things like "http_access allow
our_networks" or "http_access deny all"?
XFF defines the route of transfer. Security ACL define the trusted secure
zone. Combined, the XFF provides the true origin client for end-server
access authorization (and IP spoofing sometimes) across any hierarchy.
The hierarchy in this case is client+DG+Squid+untrusted.
Some (many?) websites use it to identify individual clients sources across
translation technologies such as NAT , intercepting proxies and CDN
hierarchies where the IP addresses are altered and multiple clients
otherwise appear to all come from the same source.
In the case of Squid+DansGuardian. _Every single request_ comes out the
other end as sourced from 127.0.0.1 / localhost.
Amos
Received on Mon Feb 15 2010 - 21:14:44 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 16 2010 - 12:00:05 MST