Re: [squid-users] Getting Source-IP
On Thu, Apr 22, 2010 at 8:57 PM, Andreas Müller amuel...@gmx.de wrote: So I thought that the is an option to inject custom headers into the request. But if this is not possible than I have to do the best out of X_FORWARDED_FOR. On 22.04.10 21:31, Jeff Pang wrote: From my experience, never much believe X_FORWARDED_FOR. Only trust to what was set up by your servers in X_FORWARDED_FOR. The technique is well documented in squid's config file, however you apparently need to use it on webserver and not in squid. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm.
AW: [squid-users] Getting Source-IP
Hello, I know that I can't trust in XFF. What is new for me that the comma is optional and so its more difficult to parse the value. In my case I have the control of the accel-Proxy and can trust it. So my idea was to inject an additional field with the IP of the incoming call to the proxy - the same IP I would get if my webserver gets this call directly as remote_addr. The reason is just to restore the behavior after putting the webserver behind the proxy. Mit freundlichen Grüßen, Andreas Müller -- +--+ | Nur zwei Dinge sind unendlich: | | Das Weltall und die menschliche Dummheit.| | Beim Weltall bin ich mir aber nicht ganz sicher. | | | | ~Albert Einstein~| +--+
Re: [squid-users] Getting Source-IP
On Fri, Apr 23, 2010 at 3:58 PM, Andreas Müller amuel...@gmx.de wrote: Hello, I know that I can't trust in XFF. What is new for me that the comma is optional and so its more difficult to parse the value. Could use the function like Perl's split to get the last IP no matter the comma exists or not. $ perl -le '$ip=12.34.56.78,11.22.33.44,1.2.3.4;$last=(split/,/,$ip)[-1];print $last' 1.2.3.4 $ perl -le '$ip=12.34.56.78,11.22.33.44;$last=(split/,/,$ip)[-1];print $last' 11.22.33.44 $ perl -le '$ip=12.34.56.78;$last=(split/,/,$ip)[-1];print $last' 12.34.56.78 -- Jeff Pang http://home.arcor.de/pangj/
[squid-users] Getting Source-IP
Hello, I'm using squid as accel proxy. Is there a posibility to inject the source IP into the http header send to webserver? I know that there is HTTP_X_FORWARDED_FOR but it seems that the content of this parameter is not clear if this parameter is already in the request header (e.g. the request already comes from a proxy). Sometimes I get a comma separated list, sometimes not. So I'm searching for an option to inject a custom parameter with the source IP into http header. Or is the a secure rule to extract the correct source IP of the request as just taking the last IP in the list? Kind regards, Andreas
Re: [squid-users] Getting Source-IP
On Thu, Apr 22, 2010 at 8:19 PM, Andreas Müller amuel...@gmx.de wrote: Hello, I'm using squid as accel proxy. Is there a posibility to inject the source IP into the http header send to webserver? I know that there is HTTP_X_FORWARDED_FOR but it seems that the content of this parameter is not clear if this parameter is already in the request header (e.g. the request already comes from a proxy). Sometimes I get a comma separated list, sometimes not. Squid has done its best with X_FORWARDED_FOR. For other solution, you may get the real client's IP with some client technologies like Javascript. -- Jeff Pang http://home.arcor.de/pangj/
Re: [squid-users] Getting Source-IP
On Thu, Apr 22, 2010 at 8:57 PM, Andreas Müller amuel...@gmx.de wrote: So I thought that the is an option to inject custom headers into the request. But if this is not possible than I have to do the best out of X_FORWARDED_FOR. From my experience, never much believe X_FORWARDED_FOR. -- Jeff Pang http://home.arcor.de/pangj/
Re: [squid-users] Getting Source-IP
Jeff Pang wrote: On Thu, Apr 22, 2010 at 8:19 PM, Andreas Müller amuel...@gmx.de wrote: Hello, I'm using squid as accel proxy. Is there a posibility to inject the source IP into the http header send to webserver? I know that there is HTTP_X_FORWARDED_FOR but it seems that the content of this parameter is not clear if this parameter is already in the request header (e.g. the request already comes from a proxy). Sometimes I get a comma separated list, sometimes not. Squid has done its best with X_FORWARDED_FOR. For other solution, you may get the real client's IP with some client technologies like Javascript. XFF was created for exactly thispurpose. It is always a comma-separated list of IP addresses (both IPv4 and IPv6 now). What seems to be confusing you is the terminal comma being optional. X-Forwarded-For: A.B.C.D is a list describing two machines. The machine which connected to your server then machine A.B.C.D on the other side of it. Each proxy along the way adds the address of the machine which connected to it onto the end of the list. As Jeff said, it's not to be trusted at face value. Clients can easily forge it. What needs to be done is check each IP in the list to see if you trust what it has added to the list. Starting with the machine which is passing it to you directly. If you do trust the middle proxy (I would expect you to at least trust your own internal one) then repeat for the next address on the list. If you do not trust any given middle proxy then consider it to be the real client and perform security assuming it's maybe lied about the rest of the XFF header contents. Wikipedia have a list of large ISP proxies they have been informed about or uncovered if you want a seed group of ISP proxies you can trust to tell you the real client IPs. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1