Re: [squid-users] Why is follow_x_forwarded_for not used for ICAP ? Or is it?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 19 Jan 2010 23:18:06 +1300

Michael Portz wrote:
> Am 19.01.2010 um 09:59 schrieb Amos Jeffries:
>
>> Michael Portz wrote:
>>> Am 19.01.2010 um 09:06 schrieb Amos Jeffries:
>>>
>>>> Michael Portz wrote:
>>>>> My scenario is the following:
>>>>>
>>>>> The original accesses from our LAN hit on the first-level squid.
>>>>> Doing some basic load-balancing the requests are forwarded to several
>>>>> parent-squids. Each of these contact various ICAP-servers for
>>>>> modifications of the request.
>>>>>
>>>>> The problem: several decisions of the ICAP-server should be based on
>>>>> the original clients IP-address. Alas, given the scenario above, it
>>>>> only can be based on the outgoing IP address of the first-level
>>>>> proxy. The configuration option follow_x_forwarded_for does right the
>>>>> thing, but "only" access_control, delay pools and logging are
>>>>> explicitly stated as applications. Does it work for icap, too? Or is
>>>>> something like this in the development queue?
>>>>>
>>>>> The all-over squid version is 3.0.STABLE21.
>>>>>
>>>>> Regards Michael
>>>> Strange. 3.0 does not even have a follow_x_forwarded_for option. That
>>>> was added to Squid-3.1.
>>>>
>>>> The one in 3.1 has several known problems such as the ICAP lack you
>>>> cite. http://bugs.squid-cache.org/show_bug.cgi?id=2731
>>>> I'm hoping to fix XFF by next release. Certainly before it goes stable.
>>>>
>>>> Amos
>>>> --
>>>> Please be using
>>>> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
>>>> Current Beta Squid 3.1.0.15
>>> Great!
>>>
>>> I am new to the list but my experience from elsewhere is, that if you
>>> don't mention the version, half of the replies to your posting is "what version
>>> are you using" so I usually include this bit of information, regardless of its
>>> importance to the contents of the posting :-)
>>>
>>> Thanks for your answer and for the pointer, your answer saves me setting
>>> up a 3.1 just for finding out; not sure I understood you correctly though,
>>> so allow for one more question: Does Wolfgangs patch
>>>
>>> - work?
>>> - nearly work?
>>> - is still too buggy to use?
>> Nearly. It does send the XFF result IP to ICAP like it is supposed to.
>>
>> The other problems in XFF means that the result IP may not always be
>> what you want. the direct client IP is not checked and Squid 'fails'
>> partially trusted chains when it should not.
>>
>> Amos
>
> Not wanting to press you into too speculative answers, but can I
> assume, that in my simple scenario (exactly one squid in between
> the client and the XFF-squid) it might just work?
>
> Michael

Yes. The simplistic configurations work.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
   Current Beta Squid 3.1.0.15
Received on Tue Jan 19 2010 - 10:18:23 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 19 2010 - 12:00:03 MST