Re: [squid-users] X-Forwarded-For
Interesting. I will check later. Thanks! On Fri, Nov 9, 2018 at 9:54 PM Amos Jeffries wrote: > On 10/11/18 3:15 PM, Michael Pelletier wrote: > > Perhapse your Squid has been patched to remove it ? > > > > I am running 3.5.28. I have not installed any patches. > > > > Perhapse you are looking at the wrong headers ? > > X-Forwarded-For is only added to the request headers sent to servers. > > > > Yes. The XFF should be added to the request header and be seen by the > > server the proxy is communicating with. I have a sniffer on the outside > > (Internet side) of the proxy and have confirmed the XFF is not being > added. > > > > Perhapse you have a later config line setting forwarded_for to "delete" > > or "transparent" ? > > > > I have the line "forwarded_for on" > > I mean something later in the config. This directive can be set multiple > times and only uses the last value it is set to. > > > Another possibility is request_header_access rules removing it along > with other headers. IIRC, this header is included in one of the "Other" > or "All" categories. > > > Amos > -- *Disclaimer: *Under Florida law, e-mail addresses are public records. If you do not want your e-mail address released in response to a public records request, do not send electronic mail to this entity. Instead, contact this office by phone or in writing. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] X-Forwarded-For
On 10/11/18 3:15 PM, Michael Pelletier wrote: > Perhapse your Squid has been patched to remove it ? > > I am running 3.5.28. I have not installed any patches. > > Perhapse you are looking at the wrong headers ? > X-Forwarded-For is only added to the request headers sent to servers. > > Yes. The XFF should be added to the request header and be seen by the > server the proxy is communicating with. I have a sniffer on the outside > (Internet side) of the proxy and have confirmed the XFF is not being added. > > Perhapse you have a later config line setting forwarded_for to "delete" > or "transparent" ? > > I have the line "forwarded_for on" I mean something later in the config. This directive can be set multiple times and only uses the last value it is set to. Another possibility is request_header_access rules removing it along with other headers. IIRC, this header is included in one of the "Other" or "All" categories. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] X-Forwarded-For
Perhapse your Squid has been patched to remove it ? I am running 3.5.28. I have not installed any patches. Perhapse you are looking at the wrong headers ? X-Forwarded-For is only added to the request headers sent to servers. Yes. The XFF should be added to the request header and be seen by the server the proxy is communicating with. I have a sniffer on the outside (Internet side) of the proxy and have confirmed the XFF is not being added. Perhapse you have a later config line setting forwarded_for to "delete" or "transparent" ? I have the line "forwarded_for on" On Fri, Nov 9, 2018 at 7:35 PM Amos Jeffries wrote: > On 10/11/18 9:05 AM, Michael Pelletier wrote: > > Hello, > > I am running squid 3.5.28 and for some reason I can not get > > X-Forwarded-For added to the http headers. I have "forwarded_for on" and > > "via on" set in the squid.conf. Any ideas why this will not work? > > > > Perhapse your Squid has been patched to remove it ? > > Perhapse you are looking at the wrong headers ? > X-Forwarded-For is only added to the request headers sent to servers. > > Perhapse you have a later config line setting forwarded_for to "delete" > or "transparent" ? > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- *Disclaimer: *Under Florida law, e-mail addresses are public records. If you do not want your e-mail address released in response to a public records request, do not send electronic mail to this entity. Instead, contact this office by phone or in writing. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] X-Forwarded-For
On 10/11/18 9:05 AM, Michael Pelletier wrote: > Hello, > I am running squid 3.5.28 and for some reason I can not get > X-Forwarded-For added to the http headers. I have "forwarded_for on" and > "via on" set in the squid.conf. Any ideas why this will not work? > Perhapse your Squid has been patched to remove it ? Perhapse you are looking at the wrong headers ? X-Forwarded-For is only added to the request headers sent to servers. Perhapse you have a later config line setting forwarded_for to "delete" or "transparent" ? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] X-Forwarded-For
Hello, I am running squid 3.5.28 and for some reason I can not get X-Forwarded-For added to the http headers. I have "forwarded_for on" and "via on" set in the squid.conf. Any ideas why this will not work? -- *Disclaimer: *Under Florida law, e-mail addresses are public records. If you do not want your e-mail address released in response to a public records request, do not send electronic mail to this entity. Instead, contact this office by phone or in writing. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] X-Forwarded-For breaks a site
On 30.01.17 12:09, Andrea Venturoli wrote: The answer to a direct connection (or to Squid with "forwarded_for transparent") is: HTTP/1.1 303 See other Date: Mon, 30 Jan 2017 09:56:18 GMT Server: Apache X-Powered-By: PHP/5.3.29 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=www; path=/ Set-Cookie: yy=z; path=/; HttpOnly Location: http://www.xxx.com/md/it/ Content-Length: 0 Connection: close Content-Type: text/html; charset=utf-8 The answer to Squid without "forwarded_for transparent") is: HTTP/1.1 200 OK Date: Mon, 30 Jan 2017 09:33:51 GMT Server: Apache X-Powered-By: PHP/5.3.29 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=vv; path=/ Content-Length: 0 Keep-Alive: timeout=15, max=98 Connection: Keep-Alive Content-Type: text/html The site is a commercial one and, altough it features a reserved area, I don't see any point in loosing visibility to corporate users. Also the webserver belongs to a famous ISP which should also hosts thousands of other sites, so I guess it should have nothing fancy. Anyone can shed some light on this behaviour? it's quite common that some pages break on x-forwarded-for header. It's mostly fault of those pages, not clients or webserver. Is this Squid's fault (I don't think so, but I'll just ask)? no Is this a known bug in some version of Apache or PHP or whatever? no Is it dangerous to keep "forwarded_for transparent" in my config? might be, if you let private internal data to pass out. you should study what does the directive do and decide what to do with XFF header. See: http://www.squid-cache.org/Doc/config/forwarded_for/ if there's possibility of contacting the page owner with a complaint, do that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org) ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] X-Forwarded-For breaks a site
Hello. I've been invited to visit a web site and I couldn't see it. Bypassing squid would solve the problem, so I made some some researches and saw that adding "forwarded_for transparent" to my config would do. I'm wondering what the reason might be... tcpdump showed that: 1) initial connection to http:/www.xxx.com yields a 302 redirect to http:/www.xxx.com/md; 2) so a second request goes out to http:/www.xxx.com/md and yields a 301, again redirecting to http:/www.xxx.com/md/ (notice the last slash); 3) finally a request goes out for http:/www.xxx.com/md/ and here's where a difference arises between a direct connection and one through Squid (without "forwarded_for transparent"). The answer to a direct connection (or to Squid with "forwarded_for transparent") is: HTTP/1.1 303 See other Date: Mon, 30 Jan 2017 09:56:18 GMT Server: Apache X-Powered-By: PHP/5.3.29 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=www; path=/ Set-Cookie: yy=z; path=/; HttpOnly Location: http://www.xxx.com/md/it/ Content-Length: 0 Connection: close Content-Type: text/html; charset=utf-8 The answer to Squid without "forwarded_for transparent") is: HTTP/1.1 200 OK Date: Mon, 30 Jan 2017 09:33:51 GMT Server: Apache X-Powered-By: PHP/5.3.29 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=vv; path=/ Content-Length: 0 Keep-Alive: timeout=15, max=98 Connection: Keep-Alive Content-Type: text/html The site is a commercial one and, altough it features a reserved area, I don't see any point in loosing visibility to corporate users. Also the webserver belongs to a famous ISP which should also hosts thousands of other sites, so I guess it should have nothing fancy. Anyone can shed some light on this behaviour? Is this Squid's fault (I don't think so, but I'll just ask)? Is this a known bug in some version of Apache or PHP or whatever? Is it dangerous to keep "forwarded_for transparent" in my config? bye & Thanks av. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] x-forwarded-for Fail
Thanks Amos, for the good explanation. So this leads to: I'd like to anonymise my headers to the greatest extent possible. Here is my config: https://pastee.org/khgtw Does anyone have a recommended configuration for best privacy? -- http://www.fastmail.fm - IMAP accessible web-mail
Re: [squid-users] x-forwarded-for Fail
On 10/10/2013 5:53 p.m., merc1...@f-m.fm wrote: On Wed, Oct 9, 2013, at 20:35, Amos Jeffries wrote: All such online header tools are really only delivering a report of the headers which reached them. None of them have ever displayed The Truth(tm). The internals of the browser itself contains a set of layers doing header additions and changes. The same is (supposed to be) true of every extra layer of software proxies across the network. I just can't believe that someone would just keep a lying tool up. Maybe I'll send him an email. This case is a great example of how no matter what header manipulation you do in your own proxy it cannot change what others are doing to the traffic elsewhere. The CDN he uses adding its own X-Forwarded-* headers. Your own upstream provider might add the X-Forwarded-For header adding details about you. Every proxy along the way removes existing hop-by-hop headers and adds new ones. Crumcast shouldn't be manipulating my HTML headers; that would cost too much. HTML is a different story entirely from HTTP. Manipuation of HTTP headers on every relay point they cross is mandatory. One interesting case here is that if you add X-Forwarded-For on your requests, does that value show up at his end? I did try setting it to 127.0.0.1, but it didn't fool him. Interestingly I run NoScript and have all scripting turned off for his site, yet he still comes up with my IP. Hm, maybe Crumcast is narcking me out. Probably. They do have to send packets from your IP to his IP and get the responses back to you. Amos
Re: [squid-users] x-forwarded-for Fail
HTML is a different story entirely from HTTP. Manipuation of HTTP headers on every relay point they cross is mandatory. Why? One interesting case here is that if you add X-Forwarded-For on your requests, does that value show up at his end? I did try setting it to 127.0.0.1, but it didn't fool him. Interestingly I run NoScript and have all scripting turned off for his site, yet he still comes up with my IP. Hm, maybe Crumcast is narcking me out. Probably. They do have to send packets from your IP to his IP and get the responses back to you. In order to get back to me my IP is in the packet headers. No need for them to be in http headers. That's why you can (ostensibly) turn off x-forwarded-for in squid.conf. -- http://www.fastmail.fm - Access all of your messages and folders wherever you are
Re: [squid-users] x-forwarded-for Fail
On 11/10/2013 2:44 a.m., merc1...@f-m.fm wrote: HTML is a different story entirely from HTTP. Manipuation of HTTP headers on every relay point they cross is mandatory. Why? One interesting case here is that if you add X-Forwarded-For on your requests, does that value show up at his end? I did try setting it to 127.0.0.1, but it didn't fool him. Interestingly I run NoScript and have all scripting turned off for his site, yet he still comes up with my IP. Hm, maybe Crumcast is narcking me out. Probably. They do have to send packets from your IP to his IP and get the responses back to you. In order to get back to me my IP is in the packet headers. No need for them to be in http headers. That's why you can (ostensibly) turn off x-forwarded-for in squid.conf. Ah, but his site is running a script. The internal design of web servers often includes mapping TCP level details alongside HTTP headers so they can be sent over the very different connection between the server process and the script process. Good example is PHP's $_SERVER['REMOTE_ADDR'] which lists the IP of the web server receiving the traffic. The rest of that array is the HTTP headrs and other environment details. That is pretty much what X-Forwarded-For is too - just a passing of end-users _public_ TCP connection IP (only the IP) through a hierarchy to the backend when the original TCP connection is nowhere near that backend software. Amos
Re: [squid-users] x-forwarded-for Fail
On 11/10/2013 2:44 a.m., merc1...@f-m.fm wrote: HTML is a different story entirely from HTTP. Manipuation of HTTP headers on every relay point they cross is mandatory. Why? a) Because HTML is a markup language for text documents. HTTP is a protocol for software communication. b) Being a communication protocol headers in HTTP are used for the purpose of negotiating features used to deliver messages by each end of a particular connection. Given a proxy chain A - B - C - D. The client connection into a proxy (A-B) usually has different features to the outgoing server connection (B-C). The HTTP headers need to be changed from negotiating (A-B) mechanisms to (B-C) mechanisms, things like the message encoding or whether . Some features like the much maligned Via and X-Forwarded-For relay information from B through C, so that A-D mechanisms work - usually access control mechanisms for X-Forwarded-For, Via signals min/max available HTTP version or presence of non-HTTP protocols that affect end-to-end capabilities. Amos
[squid-users] x-forwarded-for Fail
Looks like turning off x-forwarded-for, has been disabled now. Nothing works. I've tried: forwarded_for delete forwarded_for off forwarded_for transparent request_header_replace X-Forwarded-For 127.0.0.1 request_header_access X-Forwarded-For deny all reply_header_access X-Forwarded-For deny all ... but nothing works. IRC doesn't know why. Has this been disabled? If so why can't I even use the access controls? It's disturbing that these don't work. What else are access controls failing me on? To see what I'm talking about, go to http://www.ericgiguere.com/tools/http-header-viewer.html My squid.conf is here: https://pastee.org/khgtw Squid 3.3.8-1 over Debian Testing. -- http://www.fastmail.fm - The professional email service
Re: [squid-users] x-forwarded-for Fail
On 10/09/2013 10:15 AM, merc1...@f-m.fm wrote: Looks like turning off x-forwarded-for, has been disabled now. Nothing works. To see what I'm talking about, go to http://www.ericgiguere.com/tools/http-header-viewer.html The above web page hosts a script that cannot be used as intended because it sits behind a server that adds X-Forwarded-For and alters some other HTTP headers. Try testing with something more reliable, like taking a packet capture and looking at the actual HTTP requests sent by Squid. HTH, Alex.
Re: [squid-users] x-forwarded-for Fail
Well for Heaven's sake. What motivation could he possibly have for dinking with teh headers? On Wed, Oct 9, 2013, at 11:08, Alex Rousskov wrote: On 10/09/2013 10:15 AM, merc1...@f-m.fm wrote: Looks like turning off x-forwarded-for, has been disabled now. Nothing works. To see what I'm talking about, go to http://www.ericgiguere.com/tools/http-header-viewer.html The above web page hosts a script that cannot be used as intended because it sits behind a server that adds X-Forwarded-For and alters some other HTTP headers. Try testing with something more reliable, like taking a packet capture and looking at the actual HTTP requests sent by Squid. HTH, Alex. -- http://www.fastmail.fm - Choose from over 50 domains or use your own
Re: [squid-users] x-forwarded-for Fail
I think you missed Alex's point. That page itself sits behind a reverse proxy that adds X-Forwarded-For. So using that for your testing isn't going to help. On 10/09/2013 03:01 PM, merc1...@f-m.fm wrote: Well for Heaven's sake. What motivation could he possibly have for dinking with teh headers? On Wed, Oct 9, 2013, at 11:08, Alex Rousskov wrote: On 10/09/2013 10:15 AM, merc1...@f-m.fm wrote: Looks like turning off x-forwarded-for, has been disabled now. Nothing works. To see what I'm talking about, go to http://www.ericgiguere.com/tools/http-header-viewer.html The above web page hosts a script that cannot be used as intended because it sits behind a server that adds X-Forwarded-For and alters some other HTTP headers. Try testing with something more reliable, like taking a packet capture and looking at the actual HTTP requests sent by Squid. HTH, Alex.
Re: [squid-users] x-forwarded-for Fail
Didn't miss his point and I understand exactly what he said. My question is what possible motive could ericgiguere have for misrepresenting headers, on a header query site? It just doesn't make sense. On Wed, Oct 9, 2013, at 12:05, Will Roberts wrote: I think you missed Alex's point. That page itself sits behind a reverse proxy that adds X-Forwarded-For. So using that for your testing isn't going to help. On 10/09/2013 03:01 PM, merc1...@f-m.fm wrote: Well for Heaven's sake. What motivation could he possibly have for dinking with teh headers? On Wed, Oct 9, 2013, at 11:08, Alex Rousskov wrote: On 10/09/2013 10:15 AM, merc1...@f-m.fm wrote: Looks like turning off x-forwarded-for, has been disabled now. Nothing works. To see what I'm talking about, go to http://www.ericgiguere.com/tools/http-header-viewer.html The above web page hosts a script that cannot be used as intended because it sits behind a server that adds X-Forwarded-For and alters some other HTTP headers. Try testing with something more reliable, like taking a packet capture and looking at the actual HTTP requests sent by Squid. HTH, Alex. -- http://www.fastmail.fm - Email service worth paying for. Try it for free
Re: [squid-users] x-forwarded-for Fail
I'm sure it wasn't malicious. That tool was put up in 2003. At some point in the past 10 years he probably put a reverse proxy in front of his site. Maybe you should email him and tell him he's broken his header tool. On 10/09/2013 03:55 PM, merc1...@f-m.fm wrote: Didn't miss his point and I understand exactly what he said. My question is what possible motive could ericgiguere have for misrepresenting headers, on a header query site? It just doesn't make sense. On Wed, Oct 9, 2013, at 12:05, Will Roberts wrote: I think you missed Alex's point. That page itself sits behind a reverse proxy that adds X-Forwarded-For. So using that for your testing isn't going to help. On 10/09/2013 03:01 PM, merc1...@f-m.fm wrote: Well for Heaven's sake. What motivation could he possibly have for dinking with teh headers? On Wed, Oct 9, 2013, at 11:08, Alex Rousskov wrote: On 10/09/2013 10:15 AM, merc1...@f-m.fm wrote: Looks like turning off x-forwarded-for, has been disabled now. Nothing works. To see what I'm talking about, go to http://www.ericgiguere.com/tools/http-header-viewer.html The above web page hosts a script that cannot be used as intended because it sits behind a server that adds X-Forwarded-For and alters some other HTTP headers. Try testing with something more reliable, like taking a packet capture and looking at the actual HTTP requests sent by Squid. HTH, Alex.
Re: [squid-users] x-forwarded-for Fail
On 10/10/2013 9:05 a.m., Will Roberts wrote: I'm sure it wasn't malicious. That tool was put up in 2003. At some point in the past 10 years he probably put a reverse proxy in front of his site. Maybe you should email him and tell him he's broken his header tool. But ... has he actually broken it? or is teh breakage something deeper, like the assumption that it can be done at all? All such online header tools are really only delivering a report of the headers which reached them. None of them have ever displayed The Truth(tm). The internals of the browser itself contains a set of layers doing header additions and changes. The same is (supposed to be) true of every extra layer of software proxies across the network. This case is a great example of how no matter what header manipulation you do in your own proxy it cannot change what others are doing to the traffic elsewhere. The CDN he uses adding its own X-Forwarded-* headers. Your own upstream provider might add the X-Forwarded-For header adding details about you. Every proxy along the way removes existing hop-by-hop headers and adds new ones. One interesting case here is that if you add X-Forwarded-For on your requests, does that value show up at his end? Amos
Re: [squid-users] x-forwarded-for Fail
On Wed, Oct 9, 2013, at 20:35, Amos Jeffries wrote: All such online header tools are really only delivering a report of the headers which reached them. None of them have ever displayed The Truth(tm). The internals of the browser itself contains a set of layers doing header additions and changes. The same is (supposed to be) true of every extra layer of software proxies across the network. I just can't believe that someone would just keep a lying tool up. Maybe I'll send him an email. This case is a great example of how no matter what header manipulation you do in your own proxy it cannot change what others are doing to the traffic elsewhere. The CDN he uses adding its own X-Forwarded-* headers. Your own upstream provider might add the X-Forwarded-For header adding details about you. Every proxy along the way removes existing hop-by-hop headers and adds new ones. Crumcast shouldn't be manipulating my HTML headers; that would cost too much. One interesting case here is that if you add X-Forwarded-For on your requests, does that value show up at his end? I did try setting it to 127.0.0.1, but it didn't fool him. Interestingly I run NoScript and have all scripting turned off for his site, yet he still comes up with my IP. Hm, maybe Crumcast is narcking me out. -- http://www.fastmail.fm - One of many happy users: http://www.fastmail.fm/help/overview_quotes.html
Re: [squid-users] Re: [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!
On 24/08/2013 5:50 p.m., David Isaacs wrote: Amos, I've also come across what Michael identified. This is actually a bug, right? The checklist() constructor initialises checklist.src_addr correctly based on acl_uses_indirect_client but it is then overridden with the request's true client_addr by the calling function. I filed it as #3895 http://bugs.squid-cache.org/show_bug.cgi?id=3895 And applied. It should be in the next releases at the end of this month. Amos
[squid-users] Re: [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!
Amos, I've also come across what Michael identified. This is actually a bug, right? The checklist() constructor initialises checklist.src_addr correctly based on acl_uses_indirect_client but it is then overridden with the request's true client_addr by the calling function. I filed it as #3895 http://bugs.squid-cache.org/show_bug.cgi?id=3895 -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/X-Forwarded-For-and-cache-peer-access-tp4661082p4661752.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!
On Sat, 2013-08-10 at 14:27 +1200, Amos Jeffries wrote: Er. What Squid version are you using? The checklist() constructor pulls those details out of the request object itself in the current Squid versions. The patch I provided was from trunk in the bazaar repo, but I'm actually running squid 3.3.6 (with the 2 recent security patches added) both of which set the checklist.src_addr after calling checklist(). And the correct patch is to add: #if FOLLOW_X_FORWARDED_FOR if (Config.onoff.acl_uses_indirect_client) src_addr = request-indirect_client_addr; else #endif /* FOLLOW_X_FORWARDED_FOR */ src_addr = request-client_addr; Amos Thanks, I'll update the patch I am using. -- Michael Graham mgra...@bloxx.com
[squid-users] [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!
Hi all, I've had a look at this issue and I believe I have found the problem. Just to recap I have: follow_x_forwarded_for allow localhost acl forwardTrafficSubnet1 src 172.21.120.0/24 cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1 never_direct deny forwardTrafficSubnet1 cache_peer_access 172.21.120.24 allow all never_direct allow all In the squid.conf but all traffic forwarded for 172.21.120.0/24 addresses get sent to the upstream proxy. I found that this patch resolves the issue: === modified file 'src/neighbors.cc' --- src/neighbors.cc2013-06-07 04:35:25 + +++ src/neighbors.cc2013-08-09 15:25:57 + @@ -204,7 +204,11 @@ return do_ping; ACLFilledChecklist checklist(p-access, request, NULL); +#ifdef FOLLOW_X_FORWARDED_FOR +checklist.src_addr = request-indirect_client_addr; +#else checklist.src_addr = request-client_addr; +#endif checklist.my_addr = request-my_addr; return (checklist.fastCheck() == ACCESS_ALLOWED); Cheers, -- Michael Graham mgra...@bloxx.com
[squid-users] Re: [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!
Back to original squid.conf: Instead of follow_x_forwarded_for allow localhost acl forwardTrafficSubnet1 src 172.21.120.0/24 cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1 never_direct deny forwardTrafficSubnet1 cache_peer_access 172.21.120.24 allow all never_direct allow all I would use follow_x_forwarded_for allow localhost acl forwardTrafficSubnet1 src 172.21.120.0/24 cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1 always_direct allow forwardTrafficSubnet1 #never_direct deny forwardTrafficSubnet1 Looks like double negation: NOT Never-DIRECT cache_peer_access 172.21.120.24 allow all never_direct allow all -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/X-Forwarded-For-and-cache-peer-access-tp4661082p4661506.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!
On 10/08/2013 3:42 a.m., Michael Graham wrote: Hi all, I've had a look at this issue and I believe I have found the problem. Just to recap I have: follow_x_forwarded_for allow localhost acl forwardTrafficSubnet1 src 172.21.120.0/24 cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1 never_direct deny forwardTrafficSubnet1 cache_peer_access 172.21.120.24 allow all never_direct allow all In the squid.conf but all traffic forwarded for 172.21.120.0/24 addresses get sent to the upstream proxy. I found that this patch resolves the issue: === modified file 'src/neighbors.cc' --- src/neighbors.cc2013-06-07 04:35:25 + +++ src/neighbors.cc2013-08-09 15:25:57 + @@ -204,7 +204,11 @@ return do_ping; ACLFilledChecklist checklist(p-access, request, NULL); +#ifdef FOLLOW_X_FORWARDED_FOR +checklist.src_addr = request-indirect_client_addr; +#else checklist.src_addr = request-client_addr; +#endif checklist.my_addr = request-my_addr; return (checklist.fastCheck() == ACCESS_ALLOWED); Cheers, Er. What Squid version are you using? The checklist() constructor pulls those details out of the request object itself in the current Squid versions. And the correct patch is to add: #if FOLLOW_X_FORWARDED_FOR if (Config.onoff.acl_uses_indirect_client) src_addr = request-indirect_client_addr; else #endif /* FOLLOW_X_FORWARDED_FOR */ src_addr = request-client_addr; Amos
Re: [squid-users] X-Forwarded-For and cache_peer_access
On Tue, 2013-07-16 at 09:31 -0400, Michael Graham wrote: On Tue, 2013-07-16 at 23:30 +1200, Amos Jeffries wrote: Does the X-Forwarded-For header actually contain an IP from the 172.21.120.0/24 subnet (and not some IPv6 address from that subnets IPv6 ranges). Yeah it seems to be: GET http://www.google.com/ HTTP/1.1 Accept: */* Host: www.google.com User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 Via: 1.1 cake-icap (squid/3.3.6) X-Forwarded-For: 172.21.120.23 Cache-Control: max-age=259200 Connection: keep-alive Also, re-check this after fixing the follow_x_forwarded_for trust ACLs. That may be affecting the results. I've went back to the original lines: acl localsrc src 127.0.0.1 follow_x_forwarded_for allow localsrc Here is the output from debug_options ALL,1 17,9 28,9 when I make a request: 2013/07/16 14:27:53.773 kid1| Acl.cc(345) matches: ACLList::matches: checking forwardTrafficSubnet1 2013/07/16 14:27:53.773 kid1| Acl.cc(326) checklistMatches: ACL::checklistMatches: checking 'forwardTrafficSubnet1' 2013/07/16 14:27:53.773 kid1| Ip.cc(134) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 172.21.120.23/[:::::::ff00] (172.21.120.0) vs 172.21.120.0-[::]/[:::::::ff00] 2013/07/16 14:27:53.773 kid1| Ip.cc(560) match: aclIpMatchIp: '172.21.120.23' found 2013/07/16 14:27:53.773 kid1| Acl.cc(328) checklistMatches: ACL::ChecklistMatches: result for 'forwardTrafficSubnet1' is 1 2013/07/16 14:27:53.773 kid1| Acl.cc(349) matches: forwardTrafficSubnet1 matched. 2013/07/16 14:27:53.773 kid1| Acl.cc(363) matches: forwardTrafficSubnet1 result is true 2013/07/16 14:27:53.773 kid1| Checklist.cc(275) matchNode: 0x1d8afd8 matched=1 async=0 finished=0 2013/07/16 14:27:53.773 kid1| Checklist.cc(260) matchNodes: 0x1d8afd8 success: all ACLs matched 2013/07/16 14:27:53.773 kid1| Checklist.cc(146) markFinished: 0x1d8afd8 answer DENIED for first matching rule won 2013/07/16 14:27:53.773 kid1| Checklist.cc(88) matchNonBlocking: ACLChecklist::check: 0x1d8afd8 match found, calling back with DENIED I don't know why is says that the rule matched but that it is returning DENIED. Cheers, Hi again, I wonder if anyone has any ideas on this one, at the moment this just doesn't seem to work. Cheers, -- Michael Graham mgra...@bloxx.com
Re: [squid-users] X-Forwarded-For and cache_peer_access
On 16/07/2013 7:31 a.m., Michael Graham wrote: Hi all, I'm having a problem getting squid to select the upstream proxy based on the source address set in the X-Forwarded-For header. Here is the appropriate lines from my squid.conf: follow_x_forwarded_for allow all You should never have allow all here even for just testing. What allow all means for that directive is to completely trust anything sent by any client and use the farthest back IP address found. Not very useful for testing whether your one-hop-away software is relaying you accurate details. What you need to do is limit this to only permit trusting the IP addresses of the upstream proxy which is supposed to be setting the XFF header. acl forwardTrafficSubnet1 src 172.21.120.0/24 cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1 never_direct deny forwardTrafficSubnet1 cache_peer_access 172.21.120.24 allow all never_direct allow all (I'm only using allow all for testing I promise!) But I am always getting forwarded to the parent peer even when I am coming from a machine on forwardTrafficSubnet1. As anyone has any success with this? Does the X-Forwarded-For header actually contain an IP from the 172.21.120.0/24 subnet (and not some IPv6 address from that subnets IPv6 ranges). Also, re-check this after fixing the follow_x_forwarded_for trust ACLs. That may be affecting the results. Amos
Re: [squid-users] X-Forwarded-For and cache_peer_access
On Tue, 2013-07-16 at 23:30 +1200, Amos Jeffries wrote: Does the X-Forwarded-For header actually contain an IP from the 172.21.120.0/24 subnet (and not some IPv6 address from that subnets IPv6 ranges). Yeah it seems to be: GET http://www.google.com/ HTTP/1.1 Accept: */* Host: www.google.com User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 Via: 1.1 cake-icap (squid/3.3.6) X-Forwarded-For: 172.21.120.23 Cache-Control: max-age=259200 Connection: keep-alive Also, re-check this after fixing the follow_x_forwarded_for trust ACLs. That may be affecting the results. I've went back to the original lines: acl localsrc src 127.0.0.1 follow_x_forwarded_for allow localsrc Here is the output from debug_options ALL,1 17,9 28,9 when I make a request: 2013/07/16 14:27:53.773 kid1| Acl.cc(345) matches: ACLList::matches: checking forwardTrafficSubnet1 2013/07/16 14:27:53.773 kid1| Acl.cc(326) checklistMatches: ACL::checklistMatches: checking 'forwardTrafficSubnet1' 2013/07/16 14:27:53.773 kid1| Ip.cc(134) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 172.21.120.23/[:::::::ff00] (172.21.120.0) vs 172.21.120.0-[::]/[:::::::ff00] 2013/07/16 14:27:53.773 kid1| Ip.cc(560) match: aclIpMatchIp: '172.21.120.23' found 2013/07/16 14:27:53.773 kid1| Acl.cc(328) checklistMatches: ACL::ChecklistMatches: result for 'forwardTrafficSubnet1' is 1 2013/07/16 14:27:53.773 kid1| Acl.cc(349) matches: forwardTrafficSubnet1 matched. 2013/07/16 14:27:53.773 kid1| Acl.cc(363) matches: forwardTrafficSubnet1 result is true 2013/07/16 14:27:53.773 kid1| Checklist.cc(275) matchNode: 0x1d8afd8 matched=1 async=0 finished=0 2013/07/16 14:27:53.773 kid1| Checklist.cc(260) matchNodes: 0x1d8afd8 success: all ACLs matched 2013/07/16 14:27:53.773 kid1| Checklist.cc(146) markFinished: 0x1d8afd8 answer DENIED for first matching rule won 2013/07/16 14:27:53.773 kid1| Checklist.cc(88) matchNonBlocking: ACLChecklist::check: 0x1d8afd8 match found, calling back with DENIED I don't know why is says that the rule matched but that it is returning DENIED. Cheers, -- Michael Graham mgra...@bloxx.com
[squid-users] X-Forwarded-For and cache_peer_access
Hi all, I'm having a problem getting squid to select the upstream proxy based on the source address set in the X-Forwarded-For header. Here is the appropriate lines from my squid.conf: follow_x_forwarded_for allow all acl forwardTrafficSubnet1 src 172.21.120.0/24 cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1 never_direct deny forwardTrafficSubnet1 cache_peer_access 172.21.120.24 allow all never_direct allow all (I'm only using allow all for testing I promise!) But I am always getting forwarded to the parent peer even when I am coming from a machine on forwardTrafficSubnet1. As anyone has any success with this? Thanks, -- Michael Graham mgra...@bloxx.com
[squid-users] X-Forwarded-For Header
Hi friends, I'm using squid/3.0.STABLE25 and I have a problem for access to a webpage that checks the X-Forwarded-For header. It looks like the web requires that X-Forwarded-For header contains only the IP of my client, but my squid proxy are sending this header: forwarded_for on -- X-Forwarded-For: 192.168.2.185, 127.0.0.1 forwarded_for delete -- X-Forwarded-For: 192.168.2.185, unknown forwarded_for truncate -- X-Forwarded-For: 192.168.2.185, unknown forwarded_for transparent -- X-Forwarded-For: 192.168.2.185, unknown forwarded_for off -- X-Forwarded-For: 192.168.2.185, unknown Can I configure squid for send only this header?: X-Forwarded-For: 192.168.2.185 Regards -- Fran M.
[squid-users] X-Forwarded-For + Squid Version 3.0.STABLE8
Hi Guys, I run a reverse proxy for a client. They are using XFF for restricting certain content to IP. We have noted that the following doesn't appear to work as it should: header_replace X-Forwarded-For allow all My understanding is that this will cause squid to replace the XFF header with it's own client IP ? I see there is various answers about this on the internet so I would like to know which one applies to this setup. Here is some more details on the proxy chain: client - proxy1 - proxy2 - origin web server Proxy 1 should replace the XFF header no matter what, so that if client is behind a proxy, it doesn't matter. Proxy 2 should just pass the header as per normal, it doesn't matter if it adds an IP to the header. I am looking at replacing these boxes with Debian 6 boxes over the next week or so, but would really like to nail this one now :) Thanks, Pieter
Re: [squid-users] X-Forwarded-For + Squid Version 3.0.STABLE8
On Mon, 21 Feb 2011 12:16:46 +1300 (NZDT), Pieter De Wit wrote: Hi Guys, I run a reverse proxy for a client. They are using XFF for restricting certain content to IP. We have noted that the following doesn't appear to work as it should: header_replace X-Forwarded-For allow all My understanding is that this will cause squid to replace the XFF header with it's own client IP ? No this will replace the content of X-Forwarded-For with the text allow all. BUT, only if there is a corresponding request_header_access X-Forwarded-For deny line (or reply_header_access). FWIW there was a documentation bug for a while indicating that Squid would add its *own* IP to XFF. Squid will never do that. Only the remote visitors/client IP is added to XFF. I see there is various answers about this on the internet so I would like to know which one applies to this setup. In 3.0 you can use the header access denial + replace to strip out the existing header and add any desired forgery. In 3.1+ you can use forwarded_for truncate to erase a prior history trace and perform what you describe in a much cleaner way. This is not usually a good idea and only useful to paper around broken web app security vulnerabilities. Here is some more details on the proxy chain: client - proxy1 - proxy2 - origin web server Proxy 1 should replace the XFF header no matter what, so that if client is behind a proxy, it doesn't matter. Well, truncate will do that, BUT using an origin server app which only pulls the *newest* IP off the list will be much better. And will protect against malicious forgery attacks as well. Proxy 2 should just pass the header as per normal, it doesn't matter if it adds an IP to the header. I am looking at replacing these boxes with Debian 6 boxes over the next week or so, but would really like to nail this one now :) Then you will have access to 3.1.6+ with the above mentioned forwarded_for extensions. In this setup in order to pass the client IP to the origin I would advise using this config: proxy 1: - nothing special. It will add the real client IP to X-Forwarded-For: header. - you MAY use forwarded_for truncate here to explicitly erase any past garbage. But see above. proxy 2: forwarded_for transparent - this will mean proxy 2 preserves the client IP proxy1 added as latest on the list, by not mentioning proxy1 - BE CAREFUL that the only way requests can reach proxy2 is via proxy1. origin: - trust proxy 2 as provider of X-Forwarded-For and grab the latest client from the XFF which it hands over. Amos
Re: [squid-users] X-Forwarded-For + Squid Version 3.0.STABLE8
Hi Amos, Thanks for the reply - I remember seeing the doc bug :) I am building the Deb6 boxes as we speak (ext4+squid 3.1 is sounding very nice) Cheers, Pieter On Mon, 21 Feb 2011, Amos Jeffries wrote: On Mon, 21 Feb 2011 12:16:46 +1300 (NZDT), Pieter De Wit wrote: Hi Guys, I run a reverse proxy for a client. They are using XFF for restricting certain content to IP. We have noted that the following doesn't appear to work as it should: header_replace X-Forwarded-For allow all My understanding is that this will cause squid to replace the XFF header with it's own client IP ? No this will replace the content of X-Forwarded-For with the text allow all. BUT, only if there is a corresponding request_header_access X-Forwarded-For deny line (or reply_header_access). FWIW there was a documentation bug for a while indicating that Squid would add its *own* IP to XFF. Squid will never do that. Only the remote visitors/client IP is added to XFF. I see there is various answers about this on the internet so I would like to know which one applies to this setup. In 3.0 you can use the header access denial + replace to strip out the existing header and add any desired forgery. In 3.1+ you can use forwarded_for truncate to erase a prior history trace and perform what you describe in a much cleaner way. This is not usually a good idea and only useful to paper around broken web app security vulnerabilities. Here is some more details on the proxy chain: client - proxy1 - proxy2 - origin web server Proxy 1 should replace the XFF header no matter what, so that if client is behind a proxy, it doesn't matter. Well, truncate will do that, BUT using an origin server app which only pulls the *newest* IP off the list will be much better. And will protect against malicious forgery attacks as well. Proxy 2 should just pass the header as per normal, it doesn't matter if it adds an IP to the header. I am looking at replacing these boxes with Debian 6 boxes over the next week or so, but would really like to nail this one now :) Then you will have access to 3.1.6+ with the above mentioned forwarded_for extensions. In this setup in order to pass the client IP to the origin I would advise using this config: proxy 1: - nothing special. It will add the real client IP to X-Forwarded-For: header. - you MAY use forwarded_for truncate here to explicitly erase any past garbage. But see above. proxy 2: forwarded_for transparent - this will mean proxy 2 preserves the client IP proxy1 added as latest on the list, by not mentioning proxy1 - BE CAREFUL that the only way requests can reach proxy2 is via proxy1. origin: - trust proxy 2 as provider of X-Forwarded-For and grab the latest client from the XFF which it hands over. Amos
Re: [squid-users] X-Forwarded-For + Squid Version 3.0.STABLE8
Hi Amos, just had a go at this: request_header_access X-Forwarded-For deny header_replace X-Forwarded-For and it's still passing XFF from another source thru - Nothing to urgent since the Deb6 boxes are getting built :) But if you spot something ? Cheers, Pieter
Re: [squid-users] X-Forwarded-For + Squid Version 3.0.STABLE8
On 21/02/11 16:33, Pieter De Wit wrote: Hi Amos, just had a go at this: request_header_access X-Forwarded-For deny header_replace X-Forwarded-For and it's still passing XFF from another source thru - Nothing to urgent since the Deb6 boxes are getting built :) But if you spot something ? Just a typo missing all after the deny . and no value to hard-code into the header on the replace line. This one is tricky to use since you have to hard-code the value passed back, it wont contain the real client IP you want. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5
Re: [squid-users] X-Forwarded-For + Squid Version 3.0.STABLE8
On 21/02/2011 18:16, Amos Jeffries wrote: On 21/02/11 16:33, Pieter De Wit wrote: Hi Amos, just had a go at this: request_header_access X-Forwarded-For deny header_replace X-Forwarded-For and it's still passing XFF from another source thru - Nothing to urgent since the Deb6 boxes are getting built :) But if you spot something ? Just a typo missing all after the deny . and no value to hard-code into the header on the replace line. This one is tricky to use since you have to hard-code the value passed back, it wont contain the real client IP you want. Amos Yeah, not quite what we are after so squid 3.1.6 will have to do the trick :) Thanks for the time ! Pieter
[squid-users] X-Forwarded-For in squid3.0
Hi, Does squid-3.0 have X-Forwarded-For enabled built-in? Since I don't see that a configure directive in squid.conf. Thanks. Need a Holiday? Win a $10,000 Holiday of your choice. Enter now.http://us.lrd.yahoo.com/_ylc=X3oDMTJxN2x2ZmNpBF9zAzIwMjM2MTY2MTMEdG1fZG1lY2gDVGV4dCBMaW5rBHRtX2xuawNVMTEwMzk3NwR0bV9uZXQDWWFob28hBHRtX3BvcwN0YWdsaW5lBHRtX3BwdHkDYXVueg--/SIG=14600t3ni/**http%3A//au.rd.yahoo.com/mail/tagline/creativeholidays/*http%3A//au.docs.yahoo.com/homepageset/%3Fp1=other%26p2=au%26p3=mailtagline
Re: [squid-users] X-Forwarded-For in squid3.0
On Sun, 7 Jun 2009 23:02:21 +0800 (CST), Tech W. tech...@yahoo.com.cn wrote: Hi, Does squid-3.0 have X-Forwarded-For enabled built-in? Since I don't see that a configure directive in squid.conf. All squid 3.x have the basic forwarded_for on/off and forwarding additions working. 3.1 is needed for the more advanced reverse-proxy alterations and follow_x_forwarded_for operations. http://www.squid-cache.org/Doc/config/forwarded_for/ (NP: ignore the 2.3 Removed Directives heading, the page generation seems to be a bit broken. Thats part of the 2.6 release notes that should not be there.) Amos
[squid-users] X-Forwarded-For and Squid 3.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! Are there any plans to implement the X-Forwarded-For feature in Squid3? We had to use Squid3 due to some ICAP project stuff and we will need the X-Forwarded-For feature for some other stuff too... Greetings, Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJISU6GgHcOSur6dQRAufUAJ9bG2eblPcM3vBCKMGSzQHiODiXVgCghi5S obPHCxz/GAiHpo8Uzyv7aRY= =0M1T -END PGP SIGNATURE-
Re: [squid-users] X-Forwarded-For and Squid 3.0
Silamael wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! Are there any plans to implement the X-Forwarded-For feature in Squid3? We had to use Squid3 due to some ICAP project stuff and we will need the X-Forwarded-For feature for some other stuff too... Yes. It is already done and in Squid 3.1. We've had a fair number of annoyances found with the 3.1.0.2 packages not including everything they needed for the new code. One more in todays snapshot. So for testing I'd advise starting with the 20081118 snapshot. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2
Re: [squid-users] X-Forwarded-For and Squid 3.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Amos Jeffries wrote: Yes. It is already done and in Squid 3.1. We've had a fair number of annoyances found with the 3.1.0.2 packages not including everything they needed for the new code. One more in todays snapshot. So for testing I'd advise starting with the 20081118 snapshot. Amos Thank you for the quick reply. So probabely we will upgrade to 3.1 then. - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJIWl8GgHcOSur6dQRAuKHAKDKj3uM7HUnKm2p4yJUJGco65jd1ACfZCVJ SpPG1GK3rWcIyCD4H17wMow= =D5p7 -END PGP SIGNATURE-
Re: [squid-users] X-Forwarded-For in Squid3 STABLE1
On Wed, 2008-03-26 at 11:24 -0300, c0re dumped wrote: Hello, Is there a new x-forwarded-for patch to be used on squid3 ? http://devel.squid-cache.org/projects.html#follow_xff but it hasn't been updated in quite some time.. (years) and probably doesn't work too well with current squid3... In my opinion such a good feature must be added to the squid base code. Then consider sponsoring adding this feature to Squid-3. Several of the Squid developers happily accept sponsored work. Or at minimum file a request in bugzilla to have this forward-ported to Squid-3 if there isn't one already. http://www.squid-cache.org/bugs/ Regards Henrik
[squid-users] X-Forwarded-For in Squid3 STABLE1
Hello, Is there a new x-forwarded-for patch to be used on squid3 ? I've searching a lot but without success. In my opinion such a good feature must be added to the squid base code. It's really helpful especially if you're using a content filter such as DansGuardian. TIA, c0re -- http://www.webcrunchers.com/crunch/ http://www.myspace.com/whippersnappermusic http://www.purevolume.com/whippersnapper
Re: [squid-users] x-forwarded-for
On 24.09.07 19:32, Gustavo Uribe wrote: Hello list, sorry to bother you with a question, but i've been browsing teh internets for a few hours now without finding a clue. What im trying to do is... get in squid access.log the client IP, but since im using dansguardian , the front proxy is dg and squid only sees conecctions from localhost... so i enabled forwarded-for and x-forwarded-for in dansguardian as well compiled squid with --x-forwarded-for, put forwarded_for on , but i still see only localhost connections... what am i missing? put localhost (DG) into follow_x_forwarded_for -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet.
Re: [squid-users] x-forwarded-for
On 9/24/07, Gustavo Uribe [EMAIL PROTECTED] wrote: Hello list, sorry to bother you with a question, but i've been browsing teh internets for a few hours now without finding a clue. What im trying to do is... get in squid access.log the client IP, but since im using dansguardian , the front proxy is dg and squid only sees conecctions from localhost... so i enabled forwarded-for and x-forwarded-for in dansguardian as well compiled squid with --x-forwarded-for, put forwarded_for on , but i still see only localhost connections... what am i missing? Check this post on the DG users list: http://tech.groups.yahoo.com/group/dansguardian/message/19532 It addresses this issue. Chris
[squid-users] x-forwarded-for
Hello list, sorry to bother you with a question, but i've been browsing teh internets for a few hours now without finding a clue. What im trying to do is... get in squid access.log the client IP, but since im using dansguardian , the front proxy is dg and squid only sees conecctions from localhost... so i enabled forwarded-for and x-forwarded-for in dansguardian as well compiled squid with --x-forwarded-for, put forwarded_for on , but i still see only localhost connections... what am i missing?
[squid-users] X-Forwarded-For Header and Rewriter
Hi, does anybody know if it is possible to access the X-Forwarded-Header inside of a rewriter script (squid used as reverse proxy). AFAIK, there is only the ip-address of the requesting server available which may be the ip of another cache-server. Background: We have another external cache server that queries our squids and we want to pass the client ip to an external script which makes decisions about the client ip: e.g. redirection to a special url if certain ips are there. I know that it is easy to trick the x-forwarded-header to fake ips, but nevertheless. if I use something like external_acl %SRC with an external script I can only say:OK or ERR, i.e. access or not. But I want to give the client different urls back depending on its ip. Or is there any other possibility to make such decisions (with the x-forwarded-for header information) outside the redirect script? thx in advance, max -- Echte DSL-Flatrate dauerhaft für 0,- Euro*! Feel free mit GMX DSL! http://www.gmx.net/de/go/dsl
Re: [squid-users] X-Forwarded-For Header and Rewriter
[EMAIL PROTECTED] wrote: Hi, does anybody know if it is possible to access the X-Forwarded-Header inside of a rewriter script (squid used as reverse proxy). AFAIK, there is only the ip-address of the requesting server available which may be the ip of another cache-server. Background: We have another external cache server that queries our squids and we want to pass the client ip to an external script which makes decisions about the client ip: e.g. redirection to a special url if certain ips are there. I know that it is easy to trick the x-forwarded-header to fake ips, but nevertheless. if I use something like external_acl %SRC with an external script I can only say:OK or ERR, i.e. access or not. But I want to give the client different urls back depending on its ip. Or is there any other possibility to make such decisions (with the x-forwarded-for header information) outside the redirect script? thx in advance, max http://devel.squid-cache.org/projects.html#follow_xff might be just what you are looking for. Be aware that development patches are not supported and may set your hair on fire. Also, be aware: This patch changes the configure.in file, which is an input to autoconf. You must run bootstrap.sh after applying this patch, and that will run autoconf for you. autoconf will generate a new configure script, which will have the new --enable-follow-x-forwarded-for option. Chris
Re: [squid-users] X-Forwarded-For Header and Rewriter
tis 2006-06-06 klockan 13:26 -0800 skrev Chris Robertson: http://devel.squid-cache.org/projects.html#follow_xff might be just what you are looking for. Be aware that development patches are not supported and may set your hair on fire. This patch has been included in the upcoming 2.6 release. You are welcome to try out the 2.6 pre-release if you like to investigate this. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] x-forwarded-for patch (again)
After following some instrucions on this list I downloaded squid-2.5.STABLE9 and patched with the x_forwarded_for patch and nothing works. here is a summary of what I did: downloaded and untarred STABLE9 Stefano (the squid package maintainer for squid) graciously provided me the ./configure statement he uses to build the slackware package and Ive enclosed that ./configure line below for reference. ./configure --bindir=/usr/sbin --sysconfdir=/etc/squid --datadir=/etc/squid --libexecdir=/usr/libexec/squid --localstatedir=/var/log/squid --enable-removal-policies=lru heap --enable-auth=basic ntlm digest --enable-basic-auth-helpers=NCSA MSNT SMB winbind YP --enable-digest-auth-helpers=password --enable-external-acl-helpers=ip_user unix_group wbinfo_group winbind_group --enable-ntlm-auth-helpers=SMB winbind --enable-async-io --with-pthreads --with-aio --enable-storeio=ufs null aufs coss --enable-delay-pools --enable-snmp --enable-ssl --enable-icmp --enable-cache-digests --disable-wccp --disable-http-violations --disable-ident-lookups --enable-useragent-log --enable-arp-acl --prefix=/usr (please excuse the wordwrap) STABLE9 configure works fine, and so does make all (I didnt make install) I patched the source with x_forwarded_for patch and manually applied the 2 failed hunks src/structs.h as instructed I ran ./bootstrap.sh and I get this output and error message: WARNING: Cannot find automake version 1.5 Trying automake (GNU automake) 1.9.5 WARNING: Cannot find autoconf version 2.13 Trying autoconf (GNU Autoconf) 2.59 acinclude.m4:10: warning: underquoted definition of AC_CHECK_SIZEOF_SYSTYPE run info '(automake)Extending aclocal' or see http://sources.redhat.com/automake/automake.html#Extending-aclocal acinclude.m4:49: warning: underquoted definition of AC_CHECK_SYSTYPE /usr/share/aclocal/pkg.m4:5: warning: underquoted definition of PKG_CHECK_MODULES /usr/share/aclocal/libIDL.m4:6: warning: underquoted definition of AM_PATH_LIBIDL /usr/share/aclocal/imlib.m4:9: warning: underquoted definition of AM_PATH_IMLIB /usr/share/aclocal/imlib.m4:167: warning: underquoted definition of AM_PATH_GDK_IMLIB /usr/share/aclocal/gtk.m4:7: warning: underquoted definition of AM_PATH_GTK /usr/share/aclocal/glib.m4:8: warning: underquoted definition of AM_PATH_GLIB /usr/share/aclocal/gdk-pixbuf.m4:12: warning: underquoted definition of AM_PATH_GDK_PIXBUF /usr/share/aclocal/audiofile.m4:12: warning: underquoted definition of AM_PATH_AUDIOFILE /usr/share/aclocal/aalib.m4:12: warning: underquoted definition of AM_PATH_AALIB /usr/share/aclocal/ORBit.m4:4: warning: underquoted definition of AM_PATH_ORBIT configure.in:1455: warning: AC_CHECK_TYPE: assuming `u_short' is not a type autoconf/types.m4:234: AC_CHECK_TYPE is expanded from... configure.in:1455: the top level autoheader: WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot' autoheader: WARNING: and `config.h.top', to define templates for `config.h.in' autoheader: WARNING: is deprecated and discouraged. autoheader: autoheader: WARNING: Using the third argument of `AC_DEFINE' and autoheader: WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without autoheader: WARNING: `acconfig.h': autoheader: autoheader: WARNING: AC_DEFINE([NEED_FUNC_MAIN], 1, autoheader: [Define if a function `main' is needed.]) autoheader: autoheader: WARNING: More sophisticated templates can also be produced, see the autoheader: WARNING: documentation. configure.in:1455: warning: AC_CHECK_TYPE: assuming `u_short' is not a type autoconf/types.m4:234: AC_CHECK_TYPE is expanded from... configure.in:1455: the top level configure.in:1455: warning: AC_CHECK_TYPE: assuming `u_short' is not a type autoconf/types.m4:234: AC_CHECK_TYPE is expanded from... configure.in:1455: the top level configure.in:1455: warning: AC_CHECK_TYPE: assuming `u_short' is not a type autoconf/types.m4:234: AC_CHECK_TYPE is expanded from... configure.in:1455: the top level configure.in:2214: error: do not use LIBOBJS directly, use AC_LIBOBJ (see section `AC_LIBOBJ vs LIBOBJS' If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoconf failed Autotool bootstrapping failed. You will need to investigate and correct before you can develop on this source tree As you can see the bootstrap of the new patch fails if I run /bootstrap.sh again then the output is the same as above but somehow the last sentence about the failure is gone, and all seems to have worked. however if you try to make all you are going to get a make warning stating that the linux_netfilter was found but that it couldnt be compiled against and it wont be installed. could someone please tell me what is going on here? Stefano has graciously offered to make the x_forwarded_for patch a part of the slackware package from STABLE12 on I would suggest that if you are on another distro that you contact your package maintainer and ask that
RE: [squid-users] x-forwarded-for patch (again)
I don't see anything with regard to the x-forward-patch being included in STABLE12. The diff file does not mention anything either. Is this a distro specific thing? From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: squid-users@squid-cache.org Subject: [squid-users] x-forwarded-for patch (again) Date: Sun, 16 Oct 2005 21:31:40 + After following some instrucions on this list I downloaded squid-2.5.STABLE9 and patched with the x_forwarded_for patch and nothing works. here is a summary of what I did: downloaded and untarred STABLE9 Stefano (the squid package maintainer for squid) graciously provided me the ./configure statement he uses to build the slackware package and Ive enclosed that ./configure line below for reference. ./configure --bindir=/usr/sbin --sysconfdir=/etc/squid --datadir=/etc/squid --libexecdir=/usr/libexec/squid --localstatedir=/var/log/squid --enable-removal-policies=lru heap --enable-auth=basic ntlm digest --enable-basic-auth-helpers=NCSA MSNT SMB winbind YP --enable-digest-auth-helpers=password --enable-external-acl-helpers=ip_user unix_group wbinfo_group winbind_group --enable-ntlm-auth-helpers=SMB winbind --enable-async-io --with-pthreads --with-aio --enable-storeio=ufs null aufs coss --enable-delay-pools --enable-snmp --enable-ssl --enable-icmp --enable-cache-digests --disable-wccp --disable-http-violations --disable-ident-lookups --enable-useragent-log --enable-arp-acl --prefix=/usr (please excuse the wordwrap) STABLE9 configure works fine, and so does make all (I didnt make install) I patched the source with x_forwarded_for patch and manually applied the 2 failed hunks src/structs.h as instructed I ran ./bootstrap.sh and I get this output and error message: WARNING: Cannot find automake version 1.5 Trying automake (GNU automake) 1.9.5 WARNING: Cannot find autoconf version 2.13 Trying autoconf (GNU Autoconf) 2.59 acinclude.m4:10: warning: underquoted definition of AC_CHECK_SIZEOF_SYSTYPE run info '(automake)Extending aclocal' or see http://sources.redhat.com/automake/automake.html#Extending-aclocal acinclude.m4:49: warning: underquoted definition of AC_CHECK_SYSTYPE /usr/share/aclocal/pkg.m4:5: warning: underquoted definition of PKG_CHECK_MODULES /usr/share/aclocal/libIDL.m4:6: warning: underquoted definition of AM_PATH_LIBIDL /usr/share/aclocal/imlib.m4:9: warning: underquoted definition of AM_PATH_IMLIB /usr/share/aclocal/imlib.m4:167: warning: underquoted definition of AM_PATH_GDK_IMLIB /usr/share/aclocal/gtk.m4:7: warning: underquoted definition of AM_PATH_GTK /usr/share/aclocal/glib.m4:8: warning: underquoted definition of AM_PATH_GLIB /usr/share/aclocal/gdk-pixbuf.m4:12: warning: underquoted definition of AM_PATH_GDK_PIXBUF /usr/share/aclocal/audiofile.m4:12: warning: underquoted definition of AM_PATH_AUDIOFILE /usr/share/aclocal/aalib.m4:12: warning: underquoted definition of AM_PATH_AALIB /usr/share/aclocal/ORBit.m4:4: warning: underquoted definition of AM_PATH_ORBIT configure.in:1455: warning: AC_CHECK_TYPE: assuming `u_short' is not a type autoconf/types.m4:234: AC_CHECK_TYPE is expanded from... configure.in:1455: the top level autoheader: WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot' autoheader: WARNING: and `config.h.top', to define templates for `config.h.in' autoheader: WARNING: is deprecated and discouraged. autoheader: autoheader: WARNING: Using the third argument of `AC_DEFINE' and autoheader: WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without autoheader: WARNING: `acconfig.h': autoheader: autoheader: WARNING: AC_DEFINE([NEED_FUNC_MAIN], 1, autoheader: [Define if a function `main' is needed.]) autoheader: autoheader: WARNING: More sophisticated templates can also be produced, see the autoheader: WARNING: documentation. configure.in:1455: warning: AC_CHECK_TYPE: assuming `u_short' is not a type autoconf/types.m4:234: AC_CHECK_TYPE is expanded from... configure.in:1455: the top level configure.in:1455: warning: AC_CHECK_TYPE: assuming `u_short' is not a type autoconf/types.m4:234: AC_CHECK_TYPE is expanded from... configure.in:1455: the top level configure.in:1455: warning: AC_CHECK_TYPE: assuming `u_short' is not a type autoconf/types.m4:234: AC_CHECK_TYPE is expanded from... configure.in:1455: the top level configure.in:2214: error: do not use LIBOBJS directly, use AC_LIBOBJ (see section `AC_LIBOBJ vs LIBOBJS' If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoconf failed Autotool bootstrapping failed. You will need to investigate and correct before you can develop on this source tree As you can see the bootstrap of the new patch fails if I run /bootstrap.sh again then the output is the same as above but somehow the last sentence about the failure is gone, and all seems to have worked. however if you try to make all you are going to get a make warning stating that the linux_netfilter was found
Re: [squid-users] x-forwarded-for patch (again)
On Sun, 16 Oct 2005, [EMAIL PROTECTED] wrote: as instructed I ran ./bootstrap.sh and I get this output and error message: WARNING: Cannot find automake version 1.5 Trying automake (GNU automake) 1.9.5 WARNING: Cannot find autoconf version 2.13 Trying autoconf (GNU Autoconf) 2.59 You need to fix this before continuing. Squid-2.5 requires the above autotool versions. Regards Henrik
RE: [squid-users] x-forwarded-for patch (again)
Quoting Lucia Di Occhi [EMAIL PROTECTED]: I don't see anything with regard to the x-forward-patch being included in STABLE12. The diff file does not mention anything either. Is this a distro specific thing? Lucia: Squid has several enhancement options that may or may not fit any particular user, and most (if not all) of them are hosted on a dedicated squid projects page that used to be at squid.sourceforge.net using any one of these enhancements to squid may provide additional functionality that the main squid package is lacking. check it out. Rance
RE: [squid-users] x-forwarded-for patch (again)
On Sun, 16 Oct 2005, Lucia Di Occhi wrote: I don't see anything with regard to the x-forward-patch being included in STABLE12. It's not. The diff file does not mention anything either. Is this a distro specific thing? What is talked about is the Follow X-Forwarded-For headers patch available from devel.squid-cache.org. The author of this patch kindly provided a Squid-2.5 version some years back, but it has not been maintained for more current Squid-2.5 versions (last patch update was 2003/11/23) and manual editing is now required to apply the patch to the current Squid releases. Regards Henrik
RE: [squid-users] x-forwarded-for patch (again)
On Sun, 16 Oct 2005, [EMAIL PROTECTED] wrote: Squid has several enhancement options that may or may not fit any particular user, and most (if not all) of them are hosted on a dedicated squid projects page that used to be at squid.sourceforge.net Uset to? That page is very much still there.. but nowdays perhaps more commonly known as devel.squid-cache.org. Regards Henrik
Re: [squid-users] x-forwarded-for patch for squid-2.5.Stable11
I am posting this on both dansguardian and squid
lists so that it can help
anyone with the x-forwarded-for patch.
Download squid-2.5.STABLE9.tar.gz and
follow_xff-2.5.STABLE5.patch on /tmp
Extract the squid tar file with: tar xvfz
squid-2.5.STABLE9.tar.gz
copy follow_xff-2.5.STABLE5.patch to
/tmp/squid-2.5.STABLE9
cd to /tmp/squid-2.5.STABLE9 and execute: patch
-p0
follow_xff-2.5.STABLE5.patch
you should get the following errors:
FedoraCore2[/tmp/squid-2.5.STABLE9]patch -p0
follow_xff-2.5.STABLE5.patch
patching file acconfig.h
patching file bootstrap.sh
Hunk #1 succeeded at 66 (offset 7 lines).
patching file configure.in
Hunk #1 succeeded at 1128 (offset 28 lines).
patching file src/acl.c
Hunk #1 succeeded at 2147 (offset 107 lines).
patching file src/cf.data.pre
Hunk #1 succeeded at 2144 (offset 29 lines).
patching file src/client_side.c
Hunk #2 succeeded at 185 (offset 2 lines).
Hunk #4 succeeded at 3308 (offset 58 lines).
patching file src/delay_pools.c
patching file src/structs.h
Hunk #1 FAILED at 594.
Hunk #2 succeeded at 634 (offset 14 lines).
Hunk #3 succeeded at 1621 (offset 2 lines).
Hunk #4 succeeded at 1684 (offset 14 lines).
Hunk #5 FAILED at 1697.
2 out of 5 hunks FAILED -- saving rejects to file
src/structs.h.rej
This means that two hunks (parts) of the patch
failed to patch src/structs.h
at around lines 594 and 1697. Now look at the
src/structs.h.rej which
should look like this:
***
*** 594,599
int pipeline_prefetch;
int request_entities;
int detect_broken_server_pconns;
} onoff;
acl *aclList;
struct {
--- 594,604
int pipeline_prefetch;
int request_entities;
int detect_broken_server_pconns;
+ #if FOLLOW_X_FORWARDED_FOR
+int acl_uses_indirect_client;
+int delay_pool_uses_indirect_client;
+int log_uses_indirect_client;
+ #endif /* FOLLOW_X_FORWARDED_FOR */
} onoff;
acl *aclList;
struct {
***
*** 1681,1686
char *peer_login; /* Configured peer
login:password */
time_t lastmod; /* Used on
refreshes
*/
const char *vary_headers; /* Used when
varying
entities are detected.
Chan
ges how the store key is calculated */
};
struct _cachemgr_passwd {
--- 1697,1707
char *peer_login; /* Configured peer
login:password */
time_t lastmod; /* Used on
refreshes
*/
const char *vary_headers; /* Used when
varying
entities are detected.
Chan
ges how the store key is calculated */
+ #if FOLLOW_X_FORWARDED_FOR
+ /* XXX a list of IP addresses would be a
better data structure
+ * than this String */
+ String x_forwarded_for_iterator;
+ #endif /* FOLLOW_X_FORWARDED_FOR */
};
struct _cachemgr_passwd {
As you can see the patch has found some 'issues'
on
line 594 where it was
expecting something that it did not find. No
problem, just open
src/structs.h with 'vi' and go to line 594 and
locate the line:
int detect_broken_server_pconns;
which should be somewhere around there.
now insert the following as described by the .rej
file (remove the + which
means ADD)
#if FOLLOW_X_FORWARDED_FOR
int acl_uses_indirect_client;
int delay_pool_uses_indirect_client;
int log_uses_indirect_client;
#endif /* FOLLOW_X_FORWARDED_FOR */
so around line 594 you should now have:
int detect_broken_server_pconns;
#if FOLLOW_X_FORWARDED_FOR
int acl_uses_indirect_client;
int delay_pool_uses_indirect_client;
int log_uses_indirect_client;
#endif /* FOLLOW_X_FORWARDED_FOR */
int balance_on_multiple_ip;
int relaxed_header_parser;
int accel_uses_host_header;
int accel_no_pmtu_disc;
} onoff;
acl *aclList;
OK, let's now go to line 1697 (more or less since
we
have just added a few
lines around 594)
locate the line:
const char *vary_headers; /* Used when varying
entities are detected. Chan
ges how the store key is calculated */
which should be somewhere around there.
now insert the following as described by the .rej
file (remove the + which
means ADD)
#if FOLLOW_X_FORWARDED_FOR
/* XXX a list of IP addresses would be a
better
data structure
* than this String */
String x_forwarded_for_iterator;
#endif /* FOLLOW_X_FORWARDED_FOR */
so around line 1697 you should now have:
char *peer_login; /* Configured peer
login:password */
time_t lastmod; /* Used on
refreshes
*/
const char *vary_headers; /* Used when
varying
entities are detected.
Changes how the store key is calculated */
#if FOLLOW_X_FORWARDED_FOR
/*
Re: [squid-users] x-forwarded-for patch for squid-2.5.Stable11
Download squid-2.5.STABLE9.tar.gz and
follow_xff-2.5.STABLE5.patch on /tmp
Extract the squid tar file with: tar xvfz
squid-2.5.STABLE9.tar.gz
copy follow_xff-2.5.STABLE5.patch to
/tmp/squid-2.5.STABLE9
cd to /tmp/squid-2.5.STABLE9 and execute: patch
-p0
follow_xff-2.5.STABLE5.patch
you should get the following errors:
FedoraCore2[/tmp/squid-2.5.STABLE9]patch -p0
follow_xff-2.5.STABLE5.patch
patching file acconfig.h
patching file bootstrap.sh
Hunk #1 succeeded at 66 (offset 7 lines).
patching file configure.in
Hunk #1 succeeded at 1128 (offset 28 lines).
patching file src/acl.c
Hunk #1 succeeded at 2147 (offset 107 lines).
patching file src/cf.data.pre
Hunk #1 succeeded at 2144 (offset 29 lines).
patching file src/client_side.c
Hunk #2 succeeded at 185 (offset 2 lines).
Hunk #4 succeeded at 3308 (offset 58 lines).
patching file src/delay_pools.c
patching file src/structs.h
Hunk #1 FAILED at 594.
Hunk #2 succeeded at 634 (offset 14 lines).
Hunk #3 succeeded at 1621 (offset 2 lines).
Hunk #4 succeeded at 1684 (offset 14 lines).
Hunk #5 FAILED at 1697.
2 out of 5 hunks FAILED -- saving rejects to
file
src/structs.h.rej
This means that two hunks (parts) of the patch
failed to patch src/structs.h
at around lines 594 and 1697. Now look at the
src/structs.h.rej which
should look like this:
***
*** 594,599
int pipeline_prefetch;
int request_entities;
int detect_broken_server_pconns;
} onoff;
acl *aclList;
struct {
--- 594,604
int pipeline_prefetch;
int request_entities;
int detect_broken_server_pconns;
+ #if FOLLOW_X_FORWARDED_FOR
+int acl_uses_indirect_client;
+int delay_pool_uses_indirect_client;
+int log_uses_indirect_client;
+ #endif /* FOLLOW_X_FORWARDED_FOR */
} onoff;
acl *aclList;
struct {
***
*** 1681,1686
char *peer_login; /* Configured
peer
login:password */
time_t lastmod; /* Used on
refreshes
*/
const char *vary_headers; /* Used when
varying
entities are detected.
Chan
ges how the store key is calculated */
};
struct _cachemgr_passwd {
--- 1697,1707
char *peer_login; /* Configured
peer
login:password */
time_t lastmod; /* Used on
refreshes
*/
const char *vary_headers; /* Used when
varying
entities are detected.
Chan
ges how the store key is calculated */
+ #if FOLLOW_X_FORWARDED_FOR
+ /* XXX a list of IP addresses would be a
better data structure
+ * than this String */
+ String x_forwarded_for_iterator;
+ #endif /* FOLLOW_X_FORWARDED_FOR */
};
struct _cachemgr_passwd {
As you can see the patch has found some 'issues'
on
line 594 where it was
expecting something that it did not find. No
problem, just open
src/structs.h with 'vi' and go to line 594 and
locate the line:
int detect_broken_server_pconns;
which should be somewhere around there.
now insert the following as described by the
.rej
file (remove the + which
means ADD)
#if FOLLOW_X_FORWARDED_FOR
int acl_uses_indirect_client;
int delay_pool_uses_indirect_client;
int log_uses_indirect_client;
#endif /* FOLLOW_X_FORWARDED_FOR */
so around line 594 you should now have:
int detect_broken_server_pconns;
#if FOLLOW_X_FORWARDED_FOR
int acl_uses_indirect_client;
int delay_pool_uses_indirect_client;
int log_uses_indirect_client;
#endif /* FOLLOW_X_FORWARDED_FOR */
int balance_on_multiple_ip;
int relaxed_header_parser;
int accel_uses_host_header;
int accel_no_pmtu_disc;
} onoff;
acl *aclList;
OK, let's now go to line 1697 (more or less
since
we
have just added a few
lines around 594)
locate the line:
const char *vary_headers; /* Used when varying
entities are detected. Chan
ges how the store key is calculated */
which should be somewhere around there.
now insert the following as described by the
.rej
file (remove the + which
means ADD)
#if FOLLOW_X_FORWARDED_FOR
/* XXX a list of IP addresses would be a
better
data structure
* than this String */
String x_forwarded_for_iterator;
#endif /* FOLLOW_X_FORWARDED_FOR */
so around line 1697 you should now have:
char *peer_login; /* Configured
peer
login:password */
time_t lastmod; /* Used on
refreshes
*/
const char *vary_headers; /* Used when
varying
entities are detected.
Changes how the store key is
Re: [squid-users] x-forwarded-for patch for squid-2.5.Stable11
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sarav, Same here, until stable10, i can apply the rejects manually, but it doesnt work with stable11 anymore. regards, Kenneth Anybody got success this patch with squid-2.5.STABLE11? Pls help me. Sarav __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - -- Kenneth P. Oncinian Network Administrator Panasonic Communications Philippines Corporation Information Systems Division - Network and Systems Group - -- PGP Public Key: http://m.1asphost.com/koncinian/koncinian.gnupg.key -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.7 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDUIzZ9MTaiXoaMBgRAsjEAJ9FVpxvxMyQvC90jk0cB0hbSUeCYQCfUAlA Ztu1QK9MuS+GAIG5rQJmITU= =dHY0 -END PGP SIGNATURE-
Re: [squid-users] x-forwarded-for patch install problem
--- saravanan ganapathy [EMAIL PROTECTED] wrote: --- Henrik Nordstrom [EMAIL PROTECTED] wrote: On Wed, 9 Mar 2005, saravanan ganapathy wrote: Hand edit the files, adding the changes patch could not automatically figure out what to do with (failed/rejected). What are the files to be edited? What are all the changes to be done? See the output of the patch command. There is two filenames mentioned... patching file src/structs.h 2 out of 5 hunks FAILED -- saving rejects to file src/structs.h.rej Really I don't know what to be changed in src/structs.h src/structs.h.rej Pls help me Sarav I tried to find the docs in the net,but couldn't. Hope some of you already did this configuration. Can you pls help me? Sarav __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo
Re: [squid-users] x-forwarded-for patch install problem
On Fri, 11 Mar 2005, saravanan ganapathy wrote: Really I don't know what to be changed in src/structs.h src/structs.h.rej Pls help me Sarav I tried to find the docs in the net,but couldn't. The .rej file shows what should be changed in the file. Regards Henrik
Re: [squid-users] x-forwarded-for patch install problem
On Wed, 9 Mar 2005, saravanan ganapathy wrote: Hand edit the files, adding the changes patch could not automatically figure out what to do with (failed/rejected). What are the files to be edited? What are all the changes to be done? See the output of the patch command. There is two filenames mentioned... patching file src/structs.h 2 out of 5 hunks FAILED -- saving rejects to file src/structs.h.rej Regards Henrik
[squid-users] x-forwarded-for patch install problem
Hai When I tried to apply follow_xff-2.5.patch on squid-2.5.STABLE9 , I am getting the following error patching file src/structs.h Hunk #1 FAILED at 592. Hunk #2 succeeded at 634 (offset 16 lines). Hunk #3 succeeded at 1619 (offset 7 lines). Hunk #4 succeeded at 1679 (offset 16 lines). Hunk #5 FAILED at 1692. 2 out of 5 hunks FAILED -- saving rejects to file src/structs.h.rej How to solve this problem? PS : I am using redhat9.0 Sarav __ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/
Re: [squid-users] x-forwarded-for patch install problem
On Wed, 9 Mar 2005, saravanan ganapathy wrote: Hai When I tried to apply follow_xff-2.5.patch on squid-2.5.STABLE9 , I am getting the following error patching file src/structs.h Hunk #1 FAILED at 592. Hunk #2 succeeded at 634 (offset 16 lines). Hunk #3 succeeded at 1619 (offset 7 lines). Hunk #4 succeeded at 1679 (offset 16 lines). Hunk #5 FAILED at 1692. 2 out of 5 hunks FAILED -- saving rejects to file src/structs.h.rej How to solve this problem? Hand edit the files, adding the changes patch could not automatically figure out what to do with (failed/rejected). Regards Henrik
Re: [squid-users] x-forwarded-for patch install problem
--- Henrik Nordstrom [EMAIL PROTECTED] wrote: On Wed, 9 Mar 2005, saravanan ganapathy wrote: Hai When I tried to apply follow_xff-2.5.patch on squid-2.5.STABLE9 , I am getting the following error patching file src/structs.h Hunk #1 FAILED at 592. Hunk #2 succeeded at 634 (offset 16 lines). Hunk #3 succeeded at 1619 (offset 7 lines). Hunk #4 succeeded at 1679 (offset 16 lines). Hunk #5 FAILED at 1692. 2 out of 5 hunks FAILED -- saving rejects to file src/structs.h.rej How to solve this problem? Hand edit the files, adding the changes patch could not automatically figure out what to do with (failed/rejected). What are the files to be edited? What are all the changes to be done? Can u pls help me on this? Sarav __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[squid-users] X-Forwarded-For header cleanup
Hi folks, My Squid always modifies the X-Forwarded-For header with the client-IP. I'm now in a situation I want to keep the X-Forwarded-For header as it is.. As far as i see it's only possible to disable the X-forwarded-for header, which will result the header as: X-Forwarded-For: Unknown. At this time, I have already a X-Forwarded-For header. My final header as Squid will send out is: X-Forwarded-For: my-client-ip-by-other-squid, other proxy server I want Squid to keep the header for what it is, thus: input: X-Forwarded-For: my-client-ip-by-other-squid ouput: X-Forwarded-For: my-client-ip-by-other-squid Is this possible? Thanks, Janno.
Re: [squid-users] X-Forwarded-For header cleanup
Yep, I think I'm in the same situation. I think it's better that when we set forwarded_for off in squid.conf, we should never see X-Forwarded-For: Unknown. when there is no X-Forwarded-For previously, and squid will not add unknown when we already have one. On Wed, 17 Nov 2004 10:12:38 +0100, Janno de Wit [EMAIL PROTECTED] wrote: Hi folks, My Squid always modifies the X-Forwarded-For header with the client-IP. I'm now in a situation I want to keep the X-Forwarded-For header as it is.. As far as i see it's only possible to disable the X-forwarded-for header, which will result the header as: X-Forwarded-For: Unknown. At this time, I have already a X-Forwarded-For header. My final header as Squid will send out is: X-Forwarded-For: my-client-ip-by-other-squid, other proxy server I want Squid to keep the header for what it is, thus: input: X-Forwarded-For: my-client-ip-by-other-squid ouput: X-Forwarded-For: my-client-ip-by-other-squid Is this possible? Thanks, Janno.
Re: [squid-users] X-Forwarded-For
On Wed, 20 Oct 2004, Scott Mayo wrote: I am trying to patch squid with X-Forwarded-For and run into all kinds of trouble. I downloaded squid-2.5.STABLE4 and the patch listed here: http://squid.sourceforge.net/follow_xff/ but when I do the patch and then run bootstrap.sh, I get all kinds of ERRORS and WARNINGS. What does the first few errors/warnings look like? Regards Henrik
Re: [squid-users] X-Forwarded-For
Henrik Nordstrom wrote: On Wed, 20 Oct 2004, Scott Mayo wrote: I am trying to patch squid with X-Forwarded-For and run into all kinds of trouble. I downloaded squid-2.5.STABLE4 and the patch listed here: http://squid.sourceforge.net/follow_xff/ but when I do the patch and then run bootstrap.sh, I get all kinds of ERRORS and WARNINGS. What does the first few errors/warnings look like? I got to looking and there is actually only 1 major issue I guess. The others say that something is deprecated and discouraged. Can't find autoconf version 2.13 trying version 2.59 If I go to the cvs.devel.squid-cache.org repository and download the correct version of autoconf, will this work? I did not know if I could put an older version of this file in with this version of squid and everything would still be ok. Thanks for the help. -- Scott Mayo Technology Coordinator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Pager: 800-264-2535 X2549 Duct tape is like the force, it has a light side and a dark side and it holds the universe together.
Re: [squid-users] X-Forwarded-For
Scott Mayo wrote: Henrik Nordstrom wrote: On Wed, 20 Oct 2004, Scott Mayo wrote: I am trying to patch squid with X-Forwarded-For and run into all kinds of trouble. I downloaded squid-2.5.STABLE4 and the patch listed here: http://squid.sourceforge.net/follow_xff/ but when I do the patch and then run bootstrap.sh, I get all kinds of ERRORS and WARNINGS. What does the first few errors/warnings look like? I got to looking and there is actually only 1 major issue I guess. The others say that something is deprecated and discouraged. Can't find autoconf version 2.13 trying version 2.59 If I go to the cvs.devel.squid-cache.org repository and download the correct version of autoconf, will this work? I did not know if I could put an older version of this file in with this version of squid and everything would still be ok. After reading more about this, I assume that I need to actually go to http://ftp.gnu.org/gnu/autoconf/ and download the correct version of autoconf. Is downgrading to autoconf 2.13 going to effect anything else in my system? I am running Fedora 2. Thanks Scott -- Scott Mayo Technology Coordinator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Pager: 800-264-2535 X2549 Duct tape is like the force, it has a light side and a dark side and it holds the universe together.
Re: [squid-users] X-Forwarded-For
Scott Mayo wrote: Scott Mayo wrote: Henrik Nordstrom wrote: On Wed, 20 Oct 2004, Scott Mayo wrote: I am trying to patch squid with X-Forwarded-For and run into all kinds of trouble. I downloaded squid-2.5.STABLE4 and the patch listed here: http://squid.sourceforge.net/follow_xff/ but when I do the patch and then run bootstrap.sh, I get all kinds of ERRORS and WARNINGS. What does the first few errors/warnings look like? I got to looking and there is actually only 1 major issue I guess. The others say that something is deprecated and discouraged. Can't find autoconf version 2.13 trying version 2.59 If I go to the cvs.devel.squid-cache.org repository and download the correct version of autoconf, will this work? I did not know if I could put an older version of this file in with this version of squid and everything would still be ok. After reading more about this, I assume that I need to actually go to http://ftp.gnu.org/gnu/autoconf/ and download the correct version of autoconf. Is downgrading to autoconf 2.13 going to effect anything else in my system? I am running Fedora 2. Thanks Scott I download and compiled the autoconf 2.13 and then ran the bootstrap. It gave a bunch of the same warnings: configure.in:: warning: AC_TRY_RUN called without default to allow cross compiling. It then said that bootstrapping was complete. Are these warnings alright? Thanks for the help. -- Scott Mayo Technology Coordinator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Pager: 800-264-2535 X2549 Duct tape is like the force, it has a light side and a dark side and it holds the universe together.
RE: [squid-users] X-Forwarded-For
I'm actually looking for the same thing. Patches can be a pain sometimes. Mandrake has an updated RPM with the patch already built in, but I'm not sure if it would work on FC2. http://www.rpmfind.net//linux/RPM/cooker/cooker/i586/media/main/squid-2. 5.STABLE6-2mdk.i586.html -Devon -Original Message- From: Scott Mayo [mailto:[EMAIL PROTECTED] Sent: Thursday, October 21, 2004 11:54 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [squid-users] X-Forwarded-For Scott Mayo wrote: Scott Mayo wrote: Henrik Nordstrom wrote: On Wed, 20 Oct 2004, Scott Mayo wrote: I am trying to patch squid with X-Forwarded-For and run into all kinds of trouble. I downloaded squid-2.5.STABLE4 and the patch listed here: http://squid.sourceforge.net/follow_xff/ but when I do the patch and then run bootstrap.sh, I get all kinds of ERRORS and WARNINGS. What does the first few errors/warnings look like? I got to looking and there is actually only 1 major issue I guess. The others say that something is deprecated and discouraged. Can't find autoconf version 2.13 trying version 2.59 If I go to the cvs.devel.squid-cache.org repository and download the correct version of autoconf, will this work? I did not know if I could put an older version of this file in with this version of squid and everything would still be ok. After reading more about this, I assume that I need to actually go to http://ftp.gnu.org/gnu/autoconf/ and download the correct version of autoconf. Is downgrading to autoconf 2.13 going to effect anything else in my system? I am running Fedora 2. Thanks Scott I download and compiled the autoconf 2.13 and then ran the bootstrap. It gave a bunch of the same warnings: configure.in:: warning: AC_TRY_RUN called without default to allow cross compiling. It then said that bootstrapping was complete. Are these warnings alright? Thanks for the help. -- Scott Mayo Technology Coordinator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Pager: 800-264-2535 X2549 Duct tape is like the force, it has a light side and a dark side and it holds the universe together. - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
Re: [squid-users] X-Forwarded-For
Scott Mayo wrote: Scott Mayo wrote: Scott Mayo wrote: Henrik Nordstrom wrote: On Wed, 20 Oct 2004, Scott Mayo wrote: I am trying to patch squid with X-Forwarded-For and run into all kinds of trouble. I downloaded squid-2.5.STABLE4 and the patch listed here: http://squid.sourceforge.net/follow_xff/ but when I do the patch and then run bootstrap.sh, I get all kinds of ERRORS and WARNINGS. What does the first few errors/warnings look like? I got to looking and there is actually only 1 major issue I guess. The others say that something is deprecated and discouraged. Can't find autoconf version 2.13 trying version 2.59 If I go to the cvs.devel.squid-cache.org repository and download the correct version of autoconf, will this work? I did not know if I could put an older version of this file in with this version of squid and everything would still be ok. After reading more about this, I assume that I need to actually go to http://ftp.gnu.org/gnu/autoconf/ and download the correct version of autoconf. Is downgrading to autoconf 2.13 going to effect anything else in my system? I am running Fedora 2. Thanks Scott I download and compiled the autoconf 2.13 and then ran the bootstrap. It gave a bunch of the same warnings: configure.in:: warning: AC_TRY_RUN called without default to allow cross compiling. It then said that bootstrapping was complete. Are these warnings alright? Thanks for the help. OK, from what I have read, this warning is nothing to be concerned with. Now my question is, since I have used the autoconf 2.13 to get the correct configure file, can I now go back to version 2.59 with know problems? -- Scott Mayo Technology Coordinator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Pager: 800-264-2535 X2549 Duct tape is like the force, it has a light side and a dark side and it holds the universe together.
Re: [squid-users] X-Forwarded-For
On Thu, 21 Oct 2004, Scott Mayo wrote: I got to looking and there is actually only 1 major issue I guess. The others say that something is deprecated and discouraged. Can't find autoconf version 2.13 trying version 2.59 Squid-2.5 needs autoconf 2.13. You will also see this warning/error if you try to bootstrap the Squid-2.5 sources without any patches. autoconf is a GNU tool. Regards Henrik
Re: [squid-users] X-Forwarded-For
On Thu, 21 Oct 2004, Scott Mayo wrote: After reading more about this, I assume that I need to actually go to http://ftp.gnu.org/gnu/autoconf/ and download the correct version of autoconf. Is downgrading to autoconf 2.13 going to effect anything else in my system? I am running Fedora 2. Fedora 2 has a autoconf213 package ready for you to use.. Regards Henrik
Re: [squid-users] X-Forwarded-For
On Thu, 21 Oct 2004, Scott Mayo wrote: configure.in:: warning: AC_TRY_RUN called without default to allow cross compiling. It then said that bootstrapping was complete. Are these warnings alright? Yes. Regards Henrik
[squid-users] X-Forwarded-For
I am trying to patch squid with X-Forwarded-For and run into all kinds of trouble. I downloaded squid-2.5.STABLE4 and the patch listed here: http://squid.sourceforge.net/follow_xff/ but when I do the patch and then run bootstrap.sh, I get all kinds of ERRORS and WARNINGS. Is there a newer patch for squid 2.5? Thanks. -- Scott Mayo Technology Coordinator Bloomfield Schools PH: 573-568-4564 FA: 573-568-4565 Pager: 800-264-2535 X2549 WindowS LinUX! Duct tape is like the force, it has a light side and a dark side and it holds the universe together.
Re: [squid-users] X-Forwarded-For: unknown
On Mon, 12 Jul 2004, Marco Berizzi wrote: I'm experimenting a problem with a web site because X-Forwarded-For is unknown. If the X-Forwarded-For header says unknown then you have set forwarded_for off in squid.conf. If it is completely missing then you have denied it from header_access. Regards Henrik
[squid-users] X-Forwarded-For: unknown
I'm experimenting a problem with a web site because X-Forwarded-For is unknown. However squid.conf.default shows that X-Forwarded-For is on by default. My squid.conf modify only the User-Agent header: header_access User-Agent deny all header_replace User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4) Gecko/20020508 Netscape6/6.2.3 Could it be a problem?
Re: [squid-users] X-Forwarded-For: unknown
However squid.conf.default shows that X-Forwarded-For is on by default. I presume this is not changed in the current squid.conf by setting this parameter to off , for instance ? No, it is not changed. Probably not, you can debug the situation further with : http://www.showmyip.com Look for 'Forwarded'. Done: X-Forwarded-For:unknown I have also tried with http://www.grc.com
RE: [squid-users] X-Forwarded-For: unknown
However squid.conf.default shows that X-Forwarded-For is on by default. I presume this is not changed in the current squid.conf by setting this parameter to off , for instance ? No, it is not changed. Probably not, you can debug the situation further with : http://www.showmyip.com Look for 'Forwarded'. Done: X-Forwarded-For:unknown I have also tried with http://www.grc.com Squid version ? M.
Re: [squid-users] X-Forwarded-For: unknown
Buhh... sorry: 2.5.STABLE6 compiled from source on Slackware 9.1 kernel 2.4.26 gcc 3.2.3 glibc 2.3.2 Ok, clueless for the moment,but one sanity check,to proof that is related to the header_deny,header_access stuff you use in squid.conf : - if that is not done, is the situation normal again, with respect to X-Forwarded-for behavior ? If it is, then I have no further clues for the moment, other then to report via BUG report. Opps I'm becoming small small small... found the error: sorry to everybody.
[squid-users] X-Forwarded-For header
Hi all, I have patched the squid with the X-Forward-For header patch. But, still no luck. I am still getting 127.0.0.1 in access.log. My current setup is Dansguardian - Squid Dansguardian is listning on 8080 and squid is listnening on 3128 on 127.0.0.1. I have enabled ip forwrding in Dansguardian. But in squid access.log, I still get 127.0.0.1. Please help me. I want to get the ipaddresses of the clients who are hitting the dansguardian in the access.log of squid. Regards Abdul Khader __ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/
Re: [squid-users] X-Forwarded-For header
On Tue, 3 Feb 2004, Abdul Khader wrote: Hi all, I have patched the squid with the X-Forward-For header patch. But, still no luck. I am still getting 127.0.0.1 in access.log. Is Dansguardian sending a X-Forwarded-For header to Squid? Have you told Squid to look into the header? (see squid.conf.default after installing your patched Squid or the documentation on the follow_xff web site). Regards Henrik
Re: [squid-users] X-forwarded-for
[EMAIL PROTECTED] wrote: hi, i have the clients, behind them i have squid_A, and behind squid_A i have squid_B. i want that clients IP appear in access.log of squid_B, how i do it? regards. Drop back question : is this possible ? Answer : no M. -- 'Time is a consequence of Matter thus General Relativity is a direct consequence of QM (M.E. Mar 2002)
Re: [squid-users] X-forwarded-for
mån 2003-03-17 klockan 18.04 skrev Marc Elsen: [EMAIL PROTECTED] wrote: hi, i have the clients, behind them i have squid_A, and behind squid_A i have squid_B. i want that clients IP appear in access.log of squid_B, how i do it? regards. Drop back question : is this possible ? Answer : no Most things are possible in the world of Open Source, and this certainly is as it has already been done by others: http://devel.squid-cache.org/projects.html#follow_xff Regards Henrik -- Henrik Nordstrom [EMAIL PROTECTED] MARA Systems AB, Sweden
Re: [squid-users] X-Forwarded Help
See http://devel.squid-cache.org/projects.html#follow_xff Regards Henrik Jason M. Kusar wrote: Not sure if this is possible, but does anyone know whether it is possible for squid to look at the ip specified in the X-Forwarded-For header instead of the origin ip? Basically I want to use source ACL's, but I can't right now because the squid proxy is the second in line so it sees all requests as coming from the same server. The proxy in front of squid puts the origin ip into the headers so I just need to get squid to read them. If anyone knows how to do this, please let me know. I'm using squid 2.5. Thanks, Jason
[squid-users] X-Forwarded Help
Not sure if this is possible, but does anyone know whether it is possible for squid to look at the ip specified in the X-Forwarded-For header instead of the origin ip? Basically I want to use source ACL's, but I can't right now because the squid proxy is the second in line so it sees all requests as coming from the same server. The proxy in front of squid puts the origin ip into the headers so I just need to get squid to read them. If anyone knows how to do this, please let me know. I'm using squid 2.5. Thanks, Jason
Re: [squid-users] X-Forwarded-For: header
1) is it possible to config squid NOT to set this header at all? I think header_access X-Forwarded-For deny all should do. You can remove it from the source if you feel inclined so. Just do a grep -r. Don't have answers to other questions. Tesla _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
Re: [squid-users] X-Forwarded-For: header
That works! amazing. I thought header_access and header_replace only works for the headers that come from the client. not the ones (like, X-Forwarded-For) that are set from squid itself. I actually tried header_replace X-Forwarded-For 1.2.3.4 a few days ago but still got unknown. btw, if I set forwarded_for to off, shouldn't squid stop sending the X-Forwarded-For header instead of sending a bogus unknown? Frank On Wed, 29 Jan 2003, Tesla 13 wrote: 1) is it possible to config squid NOT to set this header at all? I think header_access X-Forwarded-For deny all should do. You can remove it from the source if you feel inclined so. Just do a grep -r. Don't have answers to other questions. Tesla _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
Re: [squid-users] X-Forwarded-For: header
Frank Liu wrote: 2) is it possible to config quid to send a user defined IP (say the IP of the proxy server itself), rather than unknown ? Should be possible to change the header to say whatever you feel like via header_replace. on a related one, is it possible to insert an customer HTTP header? Not without first coding the feature I think.. but maybe header_replace can be used.. Regards Henrik
