On 16/07/2013 7:31 a.m., Michael Graham wrote:
> Hi all,
>
> I'm having a problem getting squid to select the upstream proxy based on
> the source address set in the X-Forwarded-For header.
>
> Here is the appropriate lines from my squid.conf:
>
> follow_x_forwarded_for allow all
You should never have "allow all" here even for just testing.
What "allow all" means for that directive is to completely trust
anything sent by any client and use the farthest back IP address found.
Not very useful for testing whether your one-hop-away software is
relaying you accurate details.
What you need to do is limit this to only permit trusting the IP
addresses of the upstream proxy which is supposed to be setting the XFF
header.
> acl forwardTrafficSubnet1 src 172.21.120.0/24
> cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query
> cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1
> never_direct deny forwardTrafficSubnet1
> cache_peer_access 172.21.120.24 allow all
> never_direct allow all
>
> (I'm only using allow all for testing I promise!)
>
> But I am always getting forwarded to the parent peer even when I am
> coming from a machine on forwardTrafficSubnet1.
>
> As anyone has any success with this?
Does the X-Forwarded-For header actually contain an IP from the
172.21.120.0/24 subnet (and not some IPv6 address from that subnets IPv6
ranges).
Also, re-check this after fixing the follow_x_forwarded_for trust ACLs.
That may be affecting the results.
Amos
Received on Tue Jul 16 2013 - 11:30:34 MDT
This archive was generated by hypermail 2.2.0 : Tue Jul 16 2013 - 12:00:17 MDT