Re: [squid-users] ACL based on XFF

From: Sekar Duraisamy <sekarit_at_gmail.com>
Date: Tue, 3 Apr 2012 18:15:02 +0530

Hi Amos,

Thanks for your detailed explanation with config. Now i can see the
XFF IP as a source IP in access log and could block the users from
this.

Thanks a lot.

Regards,
Sekar

On Mon, Apr 2, 2012 at 7:23 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 3/04/2012 1:13 a.m., Sekar Duraisamy wrote:
>>
>> This will allow XFF header from the LB requests to squid. How to block
>> the original users in squid with the XFF information?
>>
>> I mean the ACL configuration please...
>
>
> Exactly as you would if the clients had connected to Squid directly. Using
> the "src" ACL type.
>
> I'm not sure what your confusion is. Have you added the
> follow_x_forwarded_for rules yet and seen what they do?
>
>
>>
>> This is the purpose of XFF header and the follow_x_forwarded_for
>> directive.
>>
>> This config:
>>  acl LB src<your LB IP address>
>>  follow_x_forwarded_for allow LB
>>  follow_x_forwarded_for deny all
>>
>> With the LB setting the XFF header correctly the above will make Squid
>> see
>> and use the IP of clients on other side of the LB.
>>
>> Amos
>
>
Received on Tue Apr 03 2012 - 12:45:09 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 03 2012 - 12:00:02 MDT