Re: [squid-users] let squid to request the page using client IP?
On 8/08/2014 12:31 p.m., Brendan Kearney wrote: On Fri, 2014-08-08 at 11:48 +1200, Jason Haar wrote: Googling apache x-forwarded-for led me to mod_extract_forwarded http://www.openinfo.co.uk/apache/ from the apache mod_proxy page: mod_proxy is about making Apache into a reverse-proxy. *generating* the X-Forwarded-For headers etc. The query was about passing the client IP through Squid to be *received* in Apache. The answer is to: use the forwarded_for directive in squid.conf. read the contents from X-Forwarded-For in Apache config. Amos
[squid-users] let squid to request the page using client IP?
I have asked this question on Apache mailing list but they tell me to ask it here: we know that we can allow some IPS with out authentication using Allow from IP: Directory /var/www/html/template Order allow,deny Allow from 192.168.1.5 Satisfy any AuthName LDAP Authentication AuthType Basic AuthBasicProvider ldap AuthzLDAPauthoritative off AuthLDAPURL ldap://192.168.1.3/dc=example,dc=com?uid?sub?(objectClass=*) /Directory But what if we use proxy (squid) in front, then the source IP will be the proxy IP, How can I make Apache to deal with the client IP not the proxy IP? or How to let squid to request the page using client IP?
Re: [squid-users] let squid to request the page using client IP?
On Thu, 2014-08-07 at 22:02 +, Mark jensen wrote: I have asked this question on Apache mailing list but they tell me to ask it here: we know that we can allow some IPS with out authentication using Allow from IP: Directory /var/www/html/template Order allow,deny Allow from 192.168.1.5 Satisfy any AuthName LDAP Authentication AuthType Basic AuthBasicProvider ldap AuthzLDAPauthoritative off AuthLDAPURL ldap://192.168.1.3/dc=example,dc=com?uid?sub?(objectClass=*) /Directory But what if we use proxy (squid) in front, then the source IP will be the proxy IP, How can I make Apache to deal with the client IP not the proxy IP? or How to let squid to request the page using client IP? you will want to look into the X-Forwarded-For header. Make sure you are inserting it with squid, and that apache is parsing the header for the value and basing the access on it. the client ip will be in the first position (0 based, i think), when using comma (,) as a delimiter.
Re: [squid-users] let squid to request the page using client IP?
Googling apache x-forwarded-for led me to mod_extract_forwarded http://www.openinfo.co.uk/apache/ -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [squid-users] let squid to request the page using client IP?
On Fri, 2014-08-08 at 11:48 +1200, Jason Haar wrote:
Googling apache x-forwarded-for led me to mod_extract_forwarded
http://www.openinfo.co.uk/apache/
from the apache mod_proxy page:
Reverse Proxy Request Headers
When acting in a reverse-proxy mode (using the ProxyPass directive, for
example), mod_proxy_http adds several request headers in order to pass
information to the origin server. These headers are:
X-Forwarded-For
The IP address of the client.
X-Forwarded-Host
The original host requested by the client in the Host HTTP request
header.
X-Forwarded-Server
The hostname of the proxy server.
Be careful when using these headers on the origin server, since they
will contain more than one (comma-separated) value if the original
request already contained one of these headers. For example, you can use
%{X-Forwarded-For}i in the log format string of the origin server to log
the original clients IP address, but you may get more than one address
if the request passes through several proxies.
See also the ProxyPreserveHost and ProxyVia directives, which control
other request headers.
looks like all you need is mod_proxy_http.
