On 26/02/2013 2:57 a.m., Rafael Gomes wrote:
> I wanna get the real ip of client.
>
> I have a server1 (10.2.3.20) with this option:
>
> cache_peer 10.2.3.21 parent 8080 3130 round-robin name=squidpeer1
> never_direct allow all
> miss_access allow all
>
> Server2 (10.2.3.21) has this option
>
> follow_x_forwarded_for allow all
NP: this is extremely unsafe.
follow_x_forwarded_for is a trust assignment test. What the line above
does is permit the clietns to send X-Forwarded-For: headers with fake
IPs and your proxy Server2 will perform its testing against those fake ones.
You should only allow trust to the IPs you actually trust. Like this:
acl peer src 10.2.3.20
follow_x_forwarded_for allow peer
follow_x_forwarded_for deny all
If you want to pass the client IP through a hierarchy of caches you can
use two methods:
1) all of your servers set "forwarded_for on" and they plus all your
upstream proxies need to trust each possible server you have in their
follow_x_forwarded_for rules.
2) your server1 set "forwarded_for on", all your internal relays like
server2 set "forwarded_for transparent".
Your servers and your upstream servers only need to trust the
specific relay machine they are getting HTTP traffic from and any which
are visible in the XFF header.
Effectively each network along the path only needs to trust the
locally-facing gateway proxy from each other network - instead of every
individual machine hop inside a CDN.
> All the clients request only server1,
>
> but in log of server2 I can't see ip of client. I only can see the ip of
> server1.
>
> How can I fix it?
The server1 needs to have "forwarded_for on" configured (which is the
default) to send the real client IP in HTTP headers.
The server2 needs to have follow_x_forwarded_for allowing trust of IPs
delivered by server1.
Amos
Received on Mon Feb 25 2013 - 23:10:39 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 26 2013 - 12:00:04 MST