Jeff Pang wrote:
> On Thu, Apr 22, 2010 at 8:19 PM, Andreas Müller <amuelle1_at_gmx.de> wrote:
>> Hello,
>>
>> I'm using squid as accel proxy. Is there a posibility to inject the source
>> IP into the http header send to webserver?
>>
>> I know that there is "HTTP_X_FORWARDED_FOR" but it seems that the content of
>> this parameter is not clear if this parameter is already in the request
>> header (e.g. the request already comes from a proxy). Sometimes I get a
>> comma separated list, sometimes not.
>>
>
> Squid has done its best with X_FORWARDED_FOR.
> For other solution, you may get the real client's IP with some client
> technologies like Javascript.
>
XFF was created for exactly thispurpose. It is always a comma-separated
list of IP addresses (both IPv4 and IPv6 now). What seems to be
confusing you is the terminal comma being optional.
"X-Forwarded-For: A.B.C.D" is a list describing two machines. The
machine which connected to your server then machine A.B.C.D on the other
side of it.
Each proxy along the way adds the address of the machine which connected
to it onto the end of the list.
As Jeff said, it's not to be trusted at face value. Clients can easily
forge it. What needs to be done is check each IP in the list to see if
you trust what it has added to the list. Starting with the machine which
is passing it to you directly.
If you do trust the middle proxy (I would expect you to at least
trust your own internal one) then repeat for the next address on the list.
If you do not trust any given middle proxy then consider it to be the
real client and perform security assuming it's maybe lied about the rest
of the XFF header contents.
Wikipedia have a list of large ISP proxies they have been informed about
or uncovered if you want a seed group of ISP proxies you can trust to
tell you the real client IPs.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1Received on Fri Apr 23 2010 - 00:32:22 MDT
This archive was generated by hypermail 2.2.0 : Fri Apr 23 2010 - 12:00:05 MDT