Re: [squid-users] ACL based on XFF

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 03 Apr 2012 01:53:53 +1200

On 3/04/2012 1:13 a.m., Sekar Duraisamy wrote:
> This will allow XFF header from the LB requests to squid. How to block
> the original users in squid with the XFF information?
>
> I mean the ACL configuration please...

Exactly as you would if the clients had connected to Squid directly.
Using the "src" ACL type.

I'm not sure what your confusion is. Have you added the
follow_x_forwarded_for rules yet and seen what they do?

>
> This is the purpose of XFF header and the follow_x_forwarded_for
> directive.
>
> This config:
> acl LB src<your LB IP address>
> follow_x_forwarded_for allow LB
> follow_x_forwarded_for deny all
>
> With the LB setting the XFF header correctly the above will make Squid
> see
> and use the IP of clients on other side of the LB.
>
> Amos
Received on Mon Apr 02 2012 - 13:53:58 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 03 2012 - 12:00:02 MDT