Re: [squid-users] forwarded_for ? in 3.2.x from Amos Jeffries on 2011-04-25 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 25 Apr 2011 20:09:59 +1200

On 22/04/11 02:08, jeffrey j donovan wrote:
> Greetings,
>
> I have a a transparent squid in a private net with a 1-1 NAT, Im
> trying to get a good understanding of what my clients look like to
> the outside. What is the Default setting " for forwarded_for" if my
> system is running intercept?

"forwarded_for on" is the default for all modes. The client IP *as seen
by Squid* is added to the header.

> to my understanding if I leave the
> X-Forwarded-For header my natted clients ip will be the visible
> requestor ?

Whatever the client IP making the request was will be noted as the
original requestor. The internal "private" IP ranges have no meaning to
external viewers. They simply indicate that there was a NAT step.

> in the past did we strip that out or is it something new?

Nothing has changed in Squid. Maybe your config or something outside
Squid was playing with it.

> is there a way to have the final request return the global NAT ip of
> the client ?

There is no such global IP for the client, at least for port 80. The
client never touches the Internet when intercepted into Squid. This is
one of the few benefits of interception.

Squid box is the only public TCP/IP address touching the Internet.

> currently squid seems to be the final, i think. can
> someone clarify this option for me, thanks -j
>
> 192.168.1.2 ---> 192.168.1.1[ squid]10.10.10.1 -- 10.10.10.2 [ IP
> NAT ] -- GLOBAL
>

Correct.

>
> forwarded_for New setting options. transparent, truncate, delete.
>
> If set to "transparent", Squid will not alter the X-Forwarded-For
> header in any way.
>
> If set to "delete", Squid will delete the entire X-Forwarded-For
> header.
>
> If set to "truncate", Squid will remove all existing X-Forwarded-For
> entries, and place itself as the sole entry.
>

... as you cut-n-pasted from the documentation, that is what it does.

The "place itself as the sole entry" was incorrect. Fixed in recent
releases to be "place the client IP as the sole entry"

Going back to your initial goal "get a good understanding of what my
clients look like to the outside"...

  The "outside" all sees Squid global IP connecting to them and making
requests.
  For smart web services that attempt to use advanced transfer features
they see the Via: header indicating the client and Squid capabilities so
nothing breaks halfway back.
  For smart security systems that attempt IP-based security (the ones
that do it well anyway) they see the X-Forwarded-For header with a group
of identifiers that can be combined to classify different end clients apart.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1

Received on Mon Apr 25 2011 - 08:10:16 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 26 2011 - 12:00:03 MDT