Re: [squid-users] Why is follow_x_forwarded_for not used for ICAP ? Or is it?

From: Michael Portz <Michael.Portz_at_netaachen.com>
Date: Tue, 19 Jan 2010 10:15:11 +0100

Am 19.01.2010 um 09:59 schrieb Amos Jeffries:

> Michael Portz wrote:
>> Am 19.01.2010 um 09:06 schrieb Amos Jeffries:
>>
>>> Michael Portz wrote:
>>>> My scenario is the following:
>>>>
>>>> The original accesses from our LAN hit on the first-level squid.
>>>> Doing some basic load-balancing the requests are forwarded to several
>>>> parent-squids. Each of these contact various ICAP-servers for
>>>> modifications of the request.
>>>>
>>>> The problem: several decisions of the ICAP-server should be based on
>>>> the original clients IP-address. Alas, given the scenario above, it
>>>> only can be based on the outgoing IP address of the first-level
>>>> proxy. The configuration option follow_x_forwarded_for does right the
>>>> thing, but "only" access_control, delay pools and logging are
>>>> explicitly stated as applications. Does it work for icap, too? Or is
>>>> something like this in the development queue?
>>>>
>>>> The all-over squid version is 3.0.STABLE21.
>>>>
>>>> Regards Michael
>>> Strange. 3.0 does not even have a follow_x_forwarded_for option. That
>>> was added to Squid-3.1.
>>>
>>> The one in 3.1 has several known problems such as the ICAP lack you
>>> cite. http://bugs.squid-cache.org/show_bug.cgi?id=2731
>>> I'm hoping to fix XFF by next release. Certainly before it goes stable.
>>>
>>> Amos
>>> --
>>> Please be using
>>> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
>>> Current Beta Squid 3.1.0.15
>>
>> Great!
>>
>> I am new to the list but my experience from elsewhere is, that if you
>> don't mention the version, half of the replies to your posting is "what version
>> are you using" so I usually include this bit of information, regardless of its
>> importance to the contents of the posting :-)
>>
>> Thanks for your answer and for the pointer, your answer saves me setting
>> up a 3.1 just for finding out; not sure I understood you correctly though,
>> so allow for one more question: Does Wolfgangs patch
>>
>> - work?
>> - nearly work?
>> - is still too buggy to use?
>
> Nearly. It does send the XFF result IP to ICAP like it is supposed to.
>
> The other problems in XFF means that the result IP may not always be
> what you want. the direct client IP is not checked and Squid 'fails'
> partially trusted chains when it should not.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
> Current Beta Squid 3.1.0.15

Not wanting to press you into too speculative answers, but can I
assume, that in my simple scenario (exactly one squid in between
the client and the XFF-squid) it might just work?

Michael

--
                                                                                                  
NetAachen GmbH
Grüner Weg 100 | 52070 Aachen
Tel: +49 241 91852 28 | Fax: +49 241 91852 99
www.netaachen.de
Geschäftsführer:
Dipl.-Ing. Andreas Schneider
Amtsgericht Aachen: HRB 15383
Diese Nachricht (inklusive aller Anhänge) ist vertraulich. Sie ist ausschließlich für den im Adressfeld ausgewiesenen Adressaten bestimmt. Sollten Sie nicht der vorgesehene Empfänger sein, so bitten wir um eine kurze Nachricht. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulässig. Da wir nicht die Echtheit oder Vollständigkeit der in dieser Nachricht enthaltenen Informationen garantieren können, schließen wir die rechtliche Verbindlichkeit der vorstehenden Erklärungen und Äußerungen aus.
Received on Tue Jan 19 2010 - 09:15:26 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 19 2010 - 12:00:03 MST