Re: [squid-users] connection limit and X-Forwarded-For IP

From: Mario Remy Almeida <malmeida_at_isaaviation.ae>
Date: Mon, 12 Apr 2010 18:23:59 +0400

Thanks Amos,

My doubts are clear now.

Amos Jeffries wrote:
> Mario Remy Almeida wrote:
>> Hi All,
>>
>> Recently I configure Squid as reverse proxy for back-end apache
>> server running Drupal.
>>
>> acl airarabia_web dstdomain www.airarabia.com
>> cache_peer 10.4.171.6 parent 80 0 no-query originserver
>> name=airarabia_peer2 round-robin forceddomain=www.airarabia.com default
>> # cache_peer 10.4.171.7 parent 80 0 no-query originserver
>> name=airarabia_peer1 round-robin forceddomain=www.airarabia.com
>> default # not yet implemented
>> cache_peer_access airarabia_peer2 allow airarabia_web
>> cache_peer_access airarabia_peer2 deny all
>>
>> Problem 1:-
>> With Apache I had connection Limit of 20 per IP (mod_limitipconn.so)
>>
>> I need to achieve this with squid reverse proxy.
>> please let me know if below configurations is correct.
>
> You should not really need this with Squid. FD in Squid are very
> lightweight and do not block whole threads like they do in Apache.
>
>>
>> ===========================
>> acl connectionLimit maxconn 20
>
> Missing:
>
> http_access deny connectionLimit
>
>> acl airarabia_web dstdomain www.airarabia.com
>> cache_peer 10.4.171.6 parent 80 0 no-query originserver
>> name=airarabia_peer2 round-robin forceddomain=www.airarabia.com default
>> cache_peer_access airarabia_peer2 allow airarabia_web connectionLimit
>
> The above will cause denial if LESS than 20 connections are made.
>
> Seems strange until you consider that connectionLimit is only true
> when >20 connections are present from a single IP. Which will cause
> the following line to happen:
>
>> cache_peer_access airarabia_peer2 deny all
>> ===========================
>>
>> Problem 2:-
>> After configuring reverse proxy, The apache back-end server gets the
>> IP of the reverse proxy and not of the actual clients.
>
> Your problem description describes the config:
>
> forwarded_for on
>
>
>>
>> squid.conf
>> ===========================
>> follow_x_forwarded_for allow airarabia_web
>> follow_x_forwarded_for deny all
>> acl_uses_indirect_client on
>> delay_pool_uses_indirect_client on
>> log_uses_indirect_client on
>> ===========================
>>
>> I will work on HOW TO for mod_extract_forwarded, but mean time if
>> someone can verify if the above squid.conf for problem 2 is correct?
>
> It does not match your problem description. It configures Squid to log
> and run ACL tests based on the remote client IP outside your trusted
> edge.
> Useful only for hierarchies and clusters of proxies who need to ignore
> the internal relay chain in their security tests.
>
> Amos

------------------------------------------------------------------------------
Disclaimer and Confidentiality

This material has been checked for computer viruses and although none has
been found, we cannot guarantee that it is completely free from such problems
and do not accept any liability for loss or damage which may be caused.
Please therefore check any attachments for viruses before using them on your
own equipment. If you do find a computer virus please inform us immediately
so that we may take appropriate action. This communication is intended solely
for the addressee and is confidential. If you are not the intended recipient,
any disclosure, copying, distribution or any action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful. The views
expressed in this message are those of the individual sender, and may not
necessarily be that of ISA.
Received on Mon Apr 12 2010 - 14:25:13 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 13 2010 - 12:00:04 MDT