Re: [squid-users] squid + dansguardian + auth

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 16 Feb 2010 10:14:40 +1300

On Mon, 15 Feb 2010 13:15:35 -0430, Jose Ildefonso Camargo Tolosa
<ildefonso.camargo_at_gmail.com> wrote:
> Hi!
>
> I really don't understand why are you, people, so insistent on the
> "x-forwarded-for" thing..... it has nothing to do with authentication,
> unless you use IP as part of your ACLs, off course.

You mean such as little 'unimportant' things like "http_access allow
our_networks" or "http_access deny all"?

XFF defines the route of transfer. Security ACL define the trusted secure
zone. Combined, the XFF provides the true origin client for end-server
access authorization (and IP spoofing sometimes) across any hierarchy.

The hierarchy in this case is client+DG+Squid+untrusted.

Some (many?) websites use it to identify individual clients sources across
translation technologies such as NAT , intercepting proxies and CDN
hierarchies where the IP addresses are altered and multiple clients
otherwise appear to all come from the same source.

In the case of Squid+DansGuardian. _Every single request_ comes out the
other end as sourced from 127.0.0.1 / localhost.

Amos
Received on Mon Feb 15 2010 - 21:14:44 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 16 2010 - 12:00:05 MST