Re: [squid-users] Re: stop XFF

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 05 May 2010 00:00:00 +0000

On Tue, 4 May 2010 17:06:38 -0500, Luis Daniel Lucio Quiroz
<luis.daniel.lucio_at_gmail.com> wrote:
> Le mardi 4 mai 2010 17:01:36, Luis Daniel Lucio Quiroz a écrit :
>> Hi all
>>
>> i have this scenario
>>
>> client -> squid1 -> squid2 -> internet
>>
>> what do i need to stop the xff header so pages like www.whatismyip.org
>> doesnt show that header.
>>
>> I dont wnat to turn off x-forward because squid2 has an icap server and
>> it
>> needs that header. I also has tried this configuration
>>
>> acl localnet 192.168.0.0/16 (and all networks i'm prety sure are local,
>> including squid1 and squid2 ips)
>> forwarded_for on
>> follow_x_forwarded_for allow localnet
>> follow_x_forwarded_for deny all
>>
>> how ever headder is still preset
>>
>> any advice?
>>
>> LD
>
> as i read here
> http://www.squid-cache.org/Doc/config/forwarded_for/
>
> if i put delete or truncate
> the xff header alteration is before or after doing the icap revision?
>
> LD

At the point the requests is cloned to be sent to the remote Server. I
think ICAP happens before that.

Some other related stuff:
 Squid sends X-Client-IP for ICAP to use. The result of
follow_x_forwarded_for is sent in there if trusted. If it's not being used
there is no point in doing follow_x_forwarded_for in the first place.

Also, trusting your end-user browser to set XFF headers correctly is a
huge mistake. There are popular plugins and apps to trivially forge it. The
only machines in your scenario which you can trust are your squid1 and
squid2, maybe the ICAP server.

Amos
Received on Wed May 05 2010 - 00:00:07 MDT

This archive was generated by hypermail 2.2.0 : Wed May 05 2010 - 12:00:04 MDT