Re: [squid-users] follow_x_forwarded_for

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 01 Apr 2010 03:04:34 +1300

Dayo Adewunmi wrote:
> Hi
>
> How do I use `follow_x_forwarded_for` to allow X-Forwarded-For header
> for all
> IP's in my LAN 192.168.0.0/21. They all go through the squid proxy,
> 192.168.0.1.
> Thanks
>
> Dayo
>

Consider: Are 192.168.0.0/21 all proxies which you trust not to forge
the header?

follow_x_forwarded_for is for chained proxies to define a "zone" of
proxies which it trusts to create XFF headers properly. It then decodes
the XFF header and uses the IP which connected to the outermost trusted
proxy.

For example:
  ISP runs a cluster of public facing proxies (2,3,4,5,...) and a
cluster of private caches (x,y,z). A common setup for load balanced proxies.

  Client "C" has their own private LAN proxy A.

Now when C connectes to the Internet the connection relay chain looks
like this:

  C -> A -> (2 or 3) -> Z -> Internet

The ISP caching proxy Z can use this:

   acl isp src 2 3 4 5 ... X Y Z
   follow_x_forwarded_for allow isp
   follow_x_forwarded_for deny all

... to decode XFF header skipping the entry for (2 or 3) and determine
that as far as the ISP is concerned A is the client connecting in.

The IP of A is what then gets logged and ACL tested at Z instead of the
IP for 2,3,4,5 etc. which for Z will always be the ones doing direct TCP
links in.

It's a bit of safety to prevent ISP situations like this falling for
spoofed XFF headers. For example if the client was using "1" to forging
XFF claiming "C" IP was the same as "2". Which might be allowed
unlimited access.

If you only have one proxy or one layer, ie you are the "A" here. Then
you do not need to bother with follow_x_forwarded_for at all.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.1
Received on Wed Mar 31 2010 - 14:04:44 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 31 2010 - 12:00:06 MDT