PS: with the log-file-change in the aolserver, there is a potential small security leak. The proxy MUST bock requests that have already X-Forwarded-For set (easily configurable in pound). otherwise, it is possible that the wrong client address is written into the logfile, and a client can hide its identity....
You probably don't want to block requests that have X-Forwarded-For set, and using it to log the client address is also a bit of a crapshoot, because you never know how many proxies a request has passed through before reaching you, each of which may have added an X-Forwarded-For header. If you're doing this, what you'd want to do is configure Pound to strip out any existing X-Forwarded-For headers before putting in it's own.
That X-Forwarded-For is a very useful little feature, thanks for doing it Zoran!
Well, it seemed trivial to include, so I did it. Some people have expressed concern about potential security issue with this, so I may end up making this configurable over some (yet to name) ns_param in the config file for the nslog facility.
Personally (speaking as an unknown, new voice here), while I can see it could be a useful feature, I'd rather see it configurable and defaulting to off. I'd expect that rewriting the logged client address like this in the access log is only *required* when you're sitting behind an accelerator, in which case you should know to turn it on. If you're not behind an accelerator then it could well make the stats you collect out of the logs *less* useful - many businesses use their own proxies and have clients sitting on 192.168/16 or 10/8 networks, and having my logs full of rfc1918 client addresses isn't the most useful for figuring out who my visitors are.
cheers
russell muetzelfeldt <[EMAIL PROTECTED]>
"Never offend people with style when you can offend them with substance." --Sam Brown
-- AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
