[squid-users] Squid in accelerator mode: Authenticate X-Forwarded-For headers

From: David Gubler <dg_at_doodle.com>
Date: Tue, 14 Dec 2010 17:24:01 +0100

I'm experimenting with Squid 3.0 as a reverse proxy. Currently, there
are two Squids running on the same machine, one for HTTP and one for
HTTPS (Squid must use HTTPS for the connection to our web server if and
only if the user did use HTTPS to contact Squid. I couldn't find another
way to do this except using two Squids on the same machine, please tell
me if there is another way. But for now, I can live with that.)

Users can also contact our web server directly, bypassing Squid (for now
at least).

Our Java web application needs to know the originating client IP address
(for GeoIP and the like). Squid puts it into the X-Forward-For header,
so far so good.

Unfortunately, anyone bypassing Squid could also set an X-Forward-For
header, so it cannot be trusted. Therefore, I need a way to authenticate
Squid to our Apache server.

I could configure the Squid's IP address on Apache. But this is
undesirable, because Squid is running on EC2, its IP may change, and
further EC2 instances can come and go.

The method I would prefer is another HTTP header that contains a secret,
which is added by Squid when the request is sent to our Apache. I could
check for the presence of the Secret and the X-Forwarded-For header, and
if both are fine I know that I can trust the IP-address in
X-Forwarded-For. I know this isn't bullet-proof in the cryptographical
sense, but if someone can intercept the communication between Squid and
our Apache, he is most likely able to spoof TCP-Connections anyway.

Unfortunately, I have tried header_replace, request_header_access and
header_access, none of these options seems to be able to add a new HTTP
header. Is there really no way to do this without using complicated and
slow icap/ecap stuff?

Thanks!

David

PS. If anyone is curious, here is some dirty stuff for Apache I came up
with.

# This is an ultra-evil hack to get the IP address from X-Forwarded-For
# into Tomcat and the Apache log file, but only
# if the request comes from one of our proxy servers (ip address
# whitelisted by adding a file)
RewriteRule .* - [E=MY_REMOTE_ADDR:%{REMOTE_ADDR}]
RewriteCond /somepath/proxies/%{REMOTE_ADDR} -f
RewriteCond %{HTTP:X-Forwarded-For}
"^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$"
RewriteRule .* - [E=MY_REMOTE_ADDR:%{HTTP:X-Forwarded-For}]
RewriteRule .* - [E=JK_REMOTE_ADDR:%{ENV:MY_REMOTE_ADDR}]
LogFormat "%{MY_REMOTE_ADDR}e %l %u %t \"%r\" %>s %b %D \"%{Referer}i\"
\"%{User-Agent}i\"" combinedwithdurationproxyaware
CustomLog /somepath/access.log combinedwithdurationproxyaware
ErrorLog /somepath/error.log
Received on Tue Dec 14 2010 - 16:24:10 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 15 2010 - 12:00:02 MST