Re: [squid-users] forwarded_for ? in 3.2.x

From: jeffrey j donovan <donovan_at_beth.k12.pa.us>
Date: Tue, 26 Apr 2011 08:37:38 -0400

On Apr 25, 2011, at 4:09 AM, Amos Jeffries wrote:

> On 22/04/11 02:08, jeffrey j donovan wrote:
>> Greetings,
>>
>> I have a a transparent squid in a private net with a 1-1 NAT, Im
>> trying to get a good understanding of what my clients look like to
>> the outside. What is the Default setting " for forwarded_for" if my
>> system is running intercept?
>
> "forwarded_for on" is the default for all modes. The client IP *as seen by Squid* is added to the header.
>
>> to my understanding if I leave the
>> X-Forwarded-For header my natted clients ip will be the visible
>> requestor ?
>
> Whatever the client IP making the request was will be noted as the original requestor. The internal "private" IP ranges have no meaning to external viewers. They simply indicate that there was a NAT step.
>
>> in the past did we strip that out or is it something new?
>
> Nothing has changed in Squid. Maybe your config or something outside Squid was playing with it.
>
>> is there a way to have the final request return the global NAT ip of
>> the client ?
>
> There is no such global IP for the client, at least for port 80. The client never touches the Internet when intercepted into Squid. This is one of the few benefits of interception.
>
> Squid box is the only public TCP/IP address touching the Internet.
>
>> currently squid seems to be the final, i think. can
>> someone clarify this option for me, thanks -j
>>
>> 192.168.1.2 ---> 192.168.1.1[ squid]10.10.10.1 -- 10.10.10.2 [ IP
>> NAT ] -- GLOBAL
>>
>
> Correct.
>
>>
>> forwarded_for New setting options. transparent, truncate, delete.
>>
>> If set to "transparent", Squid will not alter the X-Forwarded-For
>> header in any way.
>>
>> If set to "delete", Squid will delete the entire X-Forwarded-For
>> header.
>>
>> If set to "truncate", Squid will remove all existing X-Forwarded-For
>> entries, and place itself as the sole entry.
>>
>
> ... as you cut-n-pasted from the documentation, that is what it does.
>
> The "place itself as the sole entry" was incorrect. Fixed in recent releases to be "place the client IP as the sole entry"
>
>
> Going back to your initial goal "get a good understanding of what my clients look like to the outside"...
>
> The "outside" all sees Squid global IP connecting to them and making requests.
> For smart web services that attempt to use advanced transfer features they see the Via: header indicating the client and Squid capabilities so nothing breaks halfway back.
> For smart security systems that attempt IP-based security (the ones that do it well anyway) they see the X-Forwarded-For header with a group of identifiers that can be combined to classify different end clients apart.
>
> Amos

thanks for the clarity :) btw 3.2.12 build on Darwin ppc/intel works great.
-j
Received on Tue Apr 26 2011 - 12:37:39 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 27 2011 - 12:00:03 MDT