Re: [squid-users] x-forwarded-for Fail
Thanks Amos, for the good explanation. So this leads to: I'd like to anonymise my headers to the greatest extent possible. Here is my config: https://pastee.org/khgtw Does anyone have a recommended configuration for best privacy? -- http://www.fastmail.fm - IMAP accessible web-mail
Re: [squid-users] x-forwarded-for Fail
On 11/10/2013 2:44 a.m., merc1...@f-m.fm wrote: HTML is a different story entirely from HTTP. Manipuation of HTTP headers on every relay point they cross is mandatory. Why? a) Because HTML is a markup language for text documents. HTTP is a protocol for software communication. b) Being a communication protocol headers in HTTP are used for the purpose of negotiating features used to deliver messages by each end of a particular connection. Given a proxy chain A <-> B <-> C <-> D. The client connection into a proxy (A->B) usually has different features to the outgoing server connection (B->C). The HTTP headers need to be changed from negotiating (A<->B) mechanisms to (B<->C) mechanisms, things like the message encoding or whether . Some features like the much maligned Via and X-Forwarded-For relay information from B through C, so that A<->D mechanisms work - usually access control mechanisms for X-Forwarded-For, Via signals min/max available HTTP version or presence of non-HTTP protocols that affect end-to-end capabilities. Amos
Re: [squid-users] x-forwarded-for Fail
On 11/10/2013 2:44 a.m., merc1...@f-m.fm wrote: HTML is a different story entirely from HTTP. Manipuation of HTTP headers on every relay point they cross is mandatory. Why? One interesting case here is that if you add X-Forwarded-For on your requests, does that value show up at his end? I did try setting it to 127.0.0.1, but it didn't fool him. Interestingly I run NoScript and have all scripting turned off for his site, yet he still comes up with my IP. Hm, maybe Crumcast is narcking me out. Probably. They do have to send packets from your IP to his IP and get the responses back to you. In order to get back to me my IP is in the packet headers. No need for them to be in http headers. That's why you can (ostensibly) turn off x-forwarded-for in squid.conf. Ah, but his site is running a script. The internal design of web servers often includes mapping TCP level details alongside HTTP headers so they can be sent over the very different connection between the server process and the script process. Good example is PHP's $_SERVER['REMOTE_ADDR'] which lists the IP of the web server receiving the traffic. The rest of that array is the HTTP headrs and other environment details. That is pretty much what X-Forwarded-For is too - just a passing of end-users _public_ TCP connection IP (only the IP) through a hierarchy to the backend when the original TCP connection is nowhere near that backend software. Amos
Re: [squid-users] x-forwarded-for Fail
> HTML is a different story entirely from HTTP. > Manipuation of HTTP headers on every relay point they cross is mandatory. Why? > >> One interesting case here is that if you add X-Forwarded-For on your > >> requests, does that value show up at his end? > > I did try setting it to 127.0.0.1, but it didn't fool him. > > > > Interestingly I run NoScript and have all scripting turned off for his > > site, yet he still comes up with my IP. Hm, maybe Crumcast is narcking > > me out. > > Probably. They do have to send packets from your IP to his IP and get > the responses back to you. In order to get back to me my IP is in the packet headers. No need for them to be in http headers. That's why you can (ostensibly) turn off x-forwarded-for in squid.conf. -- http://www.fastmail.fm - Access all of your messages and folders wherever you are
Re: [squid-users] x-forwarded-for Fail
On 10/10/2013 5:53 p.m., merc1...@f-m.fm wrote: On Wed, Oct 9, 2013, at 20:35, Amos Jeffries wrote: All such online header tools are really only delivering a report of the headers which reached them. None of them have ever displayed "The Truth"(tm). The internals of the browser itself contains a set of layers doing header additions and changes. The same is (supposed to be) true of every extra layer of software proxies across the network. I just can't believe that someone would just keep a lying tool up. Maybe I'll send him an email. This case is a great example of how no matter what header manipulation you do in your own proxy it cannot change what others are doing to the traffic elsewhere. The CDN he uses adding its own X-Forwarded-* headers. Your own upstream provider might add the X-Forwarded-For header adding details about you. Every proxy along the way removes existing hop-by-hop headers and adds new ones. Crumcast shouldn't be manipulating my HTML headers; that would cost too much. HTML is a different story entirely from HTTP. Manipuation of HTTP headers on every relay point they cross is mandatory. One interesting case here is that if you add X-Forwarded-For on your requests, does that value show up at his end? I did try setting it to 127.0.0.1, but it didn't fool him. Interestingly I run NoScript and have all scripting turned off for his site, yet he still comes up with my IP. Hm, maybe Crumcast is narcking me out. Probably. They do have to send packets from your IP to his IP and get the responses back to you. Amos
Re: [squid-users] x-forwarded-for Fail
On Wed, Oct 9, 2013, at 20:35, Amos Jeffries wrote: > All such online header tools are really only delivering a report of the > headers which reached them. None of them have ever displayed "The > Truth"(tm). The internals of the browser itself contains a set of layers > doing header additions and changes. The same is (supposed to be) true of > every extra layer of software proxies across the network. I just can't believe that someone would just keep a lying tool up. Maybe I'll send him an email. > This case is a great example of how no matter what header manipulation > you do in your own proxy it cannot change what others are doing to the > traffic elsewhere. The CDN he uses adding its own X-Forwarded-* headers. > Your own upstream provider might add the X-Forwarded-For header adding > details about you. Every proxy along the way removes existing hop-by-hop > headers and adds new ones. Crumcast shouldn't be manipulating my HTML headers; that would cost too much. > One interesting case here is that if you add X-Forwarded-For on your > requests, does that value show up at his end? I did try setting it to 127.0.0.1, but it didn't fool him. Interestingly I run NoScript and have all scripting turned off for his site, yet he still comes up with my IP. Hm, maybe Crumcast is narcking me out. -- http://www.fastmail.fm - One of many happy users: http://www.fastmail.fm/help/overview_quotes.html
Re: [squid-users] x-forwarded-for Fail
On 10/10/2013 9:05 a.m., Will Roberts wrote: I'm sure it wasn't malicious. That tool was put up in 2003. At some point in the past 10 years he probably put a reverse proxy in front of his site. Maybe you should email him and tell him he's broken his header tool. But ... has he actually broken it? or is teh breakage something deeper, like the assumption that it can be done at all? All such online header tools are really only delivering a report of the headers which reached them. None of them have ever displayed "The Truth"(tm). The internals of the browser itself contains a set of layers doing header additions and changes. The same is (supposed to be) true of every extra layer of software proxies across the network. This case is a great example of how no matter what header manipulation you do in your own proxy it cannot change what others are doing to the traffic elsewhere. The CDN he uses adding its own X-Forwarded-* headers. Your own upstream provider might add the X-Forwarded-For header adding details about you. Every proxy along the way removes existing hop-by-hop headers and adds new ones. One interesting case here is that if you add X-Forwarded-For on your requests, does that value show up at his end? Amos
Re: [squid-users] x-forwarded-for Fail
I'm sure it wasn't malicious. That tool was put up in 2003. At some point in the past 10 years he probably put a reverse proxy in front of his site. Maybe you should email him and tell him he's broken his header tool. On 10/09/2013 03:55 PM, merc1...@f-m.fm wrote: Didn't miss his point and I understand exactly what he said. My question is what possible motive could ericgiguere have for misrepresenting headers, on a header query site? It just doesn't make sense. On Wed, Oct 9, 2013, at 12:05, Will Roberts wrote: I think you missed Alex's point. That page itself sits behind a reverse proxy that adds X-Forwarded-For. So using that for your testing isn't going to help. On 10/09/2013 03:01 PM, merc1...@f-m.fm wrote: Well for Heaven's sake. What motivation could he possibly have for dinking with teh headers? On Wed, Oct 9, 2013, at 11:08, Alex Rousskov wrote: On 10/09/2013 10:15 AM, merc1...@f-m.fm wrote: Looks like turning off x-forwarded-for, has been disabled now. Nothing works. To see what I'm talking about, go to http://www.ericgiguere.com/tools/http-header-viewer.html The above web page hosts a script that cannot be used as intended because it sits behind a server that adds X-Forwarded-For and alters some other HTTP headers. Try testing with something more reliable, like taking a packet capture and looking at the actual HTTP requests sent by Squid. HTH, Alex.
Re: [squid-users] x-forwarded-for Fail
Didn't miss his point and I understand exactly what he said. My question is what possible motive could ericgiguere have for misrepresenting headers, on a header query site? It just doesn't make sense. On Wed, Oct 9, 2013, at 12:05, Will Roberts wrote: > I think you missed Alex's point. > > That page itself sits behind a reverse proxy that adds X-Forwarded-For. > So using that for your testing isn't going to help. > > > On 10/09/2013 03:01 PM, merc1...@f-m.fm wrote: > > Well for Heaven's sake. > > > > What motivation could he possibly have for dinking with teh headers? > > > > > > On Wed, Oct 9, 2013, at 11:08, Alex Rousskov wrote: > >> On 10/09/2013 10:15 AM, merc1...@f-m.fm wrote: > >>> Looks like turning off x-forwarded-for, has been disabled now. Nothing > >>> works. > >>> To see what I'm talking about, go to > >>> http://www.ericgiguere.com/tools/http-header-viewer.html > >> > >> The above web page hosts a script that cannot be used as intended > >> because it sits behind a server that adds X-Forwarded-For and alters > >> some other HTTP headers. > >> > >> Try testing with something more reliable, like taking a packet capture > >> and looking at the actual HTTP requests sent by Squid. > >> > >> > >> HTH, > >> > >> Alex. > >> > -- http://www.fastmail.fm - Email service worth paying for. Try it for free
Re: [squid-users] x-forwarded-for Fail
I think you missed Alex's point. That page itself sits behind a reverse proxy that adds X-Forwarded-For. So using that for your testing isn't going to help. On 10/09/2013 03:01 PM, merc1...@f-m.fm wrote: Well for Heaven's sake. What motivation could he possibly have for dinking with teh headers? On Wed, Oct 9, 2013, at 11:08, Alex Rousskov wrote: On 10/09/2013 10:15 AM, merc1...@f-m.fm wrote: Looks like turning off x-forwarded-for, has been disabled now. Nothing works. To see what I'm talking about, go to http://www.ericgiguere.com/tools/http-header-viewer.html The above web page hosts a script that cannot be used as intended because it sits behind a server that adds X-Forwarded-For and alters some other HTTP headers. Try testing with something more reliable, like taking a packet capture and looking at the actual HTTP requests sent by Squid. HTH, Alex.
Re: [squid-users] x-forwarded-for Fail
Well for Heaven's sake. What motivation could he possibly have for dinking with teh headers? On Wed, Oct 9, 2013, at 11:08, Alex Rousskov wrote: > On 10/09/2013 10:15 AM, merc1...@f-m.fm wrote: > > Looks like turning off x-forwarded-for, has been disabled now. Nothing > > works. > > > To see what I'm talking about, go to > > http://www.ericgiguere.com/tools/http-header-viewer.html > > > The above web page hosts a script that cannot be used as intended > because it sits behind a server that adds X-Forwarded-For and alters > some other HTTP headers. > > Try testing with something more reliable, like taking a packet capture > and looking at the actual HTTP requests sent by Squid. > > > HTH, > > Alex. > -- http://www.fastmail.fm - Choose from over 50 domains or use your own
Re: [squid-users] x-forwarded-for Fail
On 10/09/2013 10:15 AM, merc1...@f-m.fm wrote: > Looks like turning off x-forwarded-for, has been disabled now. Nothing > works. > To see what I'm talking about, go to > http://www.ericgiguere.com/tools/http-header-viewer.html The above web page hosts a script that cannot be used as intended because it sits behind a server that adds X-Forwarded-For and alters some other HTTP headers. Try testing with something more reliable, like taking a packet capture and looking at the actual HTTP requests sent by Squid. HTH, Alex.
Re: [squid-users] Re: [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!
On 24/08/2013 5:50 p.m., David Isaacs wrote: Amos, I've also come across what Michael identified. This is actually a bug, right? The checklist() constructor initialises checklist.src_addr correctly based on acl_uses_indirect_client but it is then overridden with the request's "true" client_addr by the calling function. I filed it as #3895 http://bugs.squid-cache.org/show_bug.cgi?id=3895 And applied. It should be in the next releases at the end of this month. Amos
[squid-users] Re: [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!
Amos, I've also come across what Michael identified. This is actually a bug, right? The checklist() constructor initialises checklist.src_addr correctly based on acl_uses_indirect_client but it is then overridden with the request's "true" client_addr by the calling function. I filed it as #3895 http://bugs.squid-cache.org/show_bug.cgi?id=3895 -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/X-Forwarded-For-and-cache-peer-access-tp4661082p4661752.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!
On Sat, 2013-08-10 at 14:27 +1200, Amos Jeffries wrote: > Er. What Squid version are you using? > > The checklist() constructor pulls those details out of the request > object itself in the current Squid versions. The patch I provided was from trunk in the bazaar repo, but I'm actually running squid 3.3.6 (with the 2 recent security patches added) both of which set the checklist.src_addr after calling checklist(). > And the correct patch is to add: > > #if FOLLOW_X_FORWARDED_FOR > if (Config.onoff.acl_uses_indirect_client) > src_addr = request->indirect_client_addr; > else > #endif /* FOLLOW_X_FORWARDED_FOR */ > src_addr = request->client_addr; > > Amos Thanks, I'll update the patch I am using. -- Michael Graham
Re: [squid-users] [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!
On 10/08/2013 3:42 a.m., Michael Graham wrote: Hi all, I've had a look at this issue and I believe I have found the problem. Just to recap I have: follow_x_forwarded_for allow localhost acl forwardTrafficSubnet1 src 172.21.120.0/24 cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1 never_direct deny forwardTrafficSubnet1 cache_peer_access 172.21.120.24 allow all never_direct allow all In the squid.conf but all traffic forwarded for 172.21.120.0/24 addresses get sent to the upstream proxy. I found that this patch resolves the issue: === modified file 'src/neighbors.cc' --- src/neighbors.cc2013-06-07 04:35:25 + +++ src/neighbors.cc2013-08-09 15:25:57 + @@ -204,7 +204,11 @@ return do_ping; ACLFilledChecklist checklist(p->access, request, NULL); +#ifdef FOLLOW_X_FORWARDED_FOR +checklist.src_addr = request->indirect_client_addr; +#else checklist.src_addr = request->client_addr; +#endif checklist.my_addr = request->my_addr; return (checklist.fastCheck() == ACCESS_ALLOWED); Cheers, Er. What Squid version are you using? The checklist() constructor pulls those details out of the request object itself in the current Squid versions. And the correct patch is to add: #if FOLLOW_X_FORWARDED_FOR if (Config.onoff.acl_uses_indirect_client) src_addr = request->indirect_client_addr; else #endif /* FOLLOW_X_FORWARDED_FOR */ src_addr = request->client_addr; Amos
[squid-users] Re: [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!
Back to original squid.conf: Instead of follow_x_forwarded_for allow localhost acl forwardTrafficSubnet1 src 172.21.120.0/24 cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1 never_direct deny forwardTrafficSubnet1 cache_peer_access 172.21.120.24 allow all never_direct allow all I would use follow_x_forwarded_for allow localhost acl forwardTrafficSubnet1 src 172.21.120.0/24 cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1 always_direct allow forwardTrafficSubnet1 #never_direct deny forwardTrafficSubnet1 Looks like double negation: NOT Never-DIRECT cache_peer_access 172.21.120.24 allow all never_direct allow all -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/X-Forwarded-For-and-cache-peer-access-tp4661082p4661506.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!
Hi all, I've had a look at this issue and I believe I have found the problem. Just to recap I have: follow_x_forwarded_for allow localhost acl forwardTrafficSubnet1 src 172.21.120.0/24 cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1 never_direct deny forwardTrafficSubnet1 cache_peer_access 172.21.120.24 allow all never_direct allow all In the squid.conf but all traffic forwarded for 172.21.120.0/24 addresses get sent to the upstream proxy. I found that this patch resolves the issue: === modified file 'src/neighbors.cc' --- src/neighbors.cc2013-06-07 04:35:25 + +++ src/neighbors.cc2013-08-09 15:25:57 + @@ -204,7 +204,11 @@ return do_ping; ACLFilledChecklist checklist(p->access, request, NULL); +#ifdef FOLLOW_X_FORWARDED_FOR +checklist.src_addr = request->indirect_client_addr; +#else checklist.src_addr = request->client_addr; +#endif checklist.my_addr = request->my_addr; return (checklist.fastCheck() == ACCESS_ALLOWED); Cheers, -- Michael Graham
Re: [squid-users] X-Forwarded-For and cache_peer_access
On Tue, 2013-07-16 at 09:31 -0400, Michael Graham wrote: > On Tue, 2013-07-16 at 23:30 +1200, Amos Jeffries wrote: > > Does the X-Forwarded-For header actually contain an IP from the > > 172.21.120.0/24 subnet (and not some IPv6 address from that subnets > > IPv6 ranges). > > Yeah it seems to be: > > GET http://www.google.com/ HTTP/1.1 > Accept: */* > Host: www.google.com > User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 > OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 > Via: 1.1 cake-icap (squid/3.3.6) > X-Forwarded-For: 172.21.120.23 > Cache-Control: max-age=259200 > Connection: keep-alive > > > Also, re-check this after fixing the follow_x_forwarded_for trust > > ACLs. That may be affecting the results. > > I've went back to the original lines: > > acl localsrc src 127.0.0.1 > follow_x_forwarded_for allow localsrc > > Here is the output from debug_options ALL,1 17,9 28,9 when I make a > request: > > 2013/07/16 14:27:53.773 kid1| Acl.cc(345) matches: ACLList::matches: > checking forwardTrafficSubnet1 > 2013/07/16 14:27:53.773 kid1| Acl.cc(326) checklistMatches: > ACL::checklistMatches: checking 'forwardTrafficSubnet1' > 2013/07/16 14:27:53.773 kid1| Ip.cc(134) aclIpAddrNetworkCompare: > aclIpAddrNetworkCompare: compare: > 172.21.120.23/[:::::::ff00] (172.21.120.0) > vs 172.21.120.0-[::]/[:::::::ff00] > 2013/07/16 14:27:53.773 kid1| Ip.cc(560) match: aclIpMatchIp: > '172.21.120.23' found > 2013/07/16 14:27:53.773 kid1| Acl.cc(328) checklistMatches: > ACL::ChecklistMatches: result for 'forwardTrafficSubnet1' is 1 > 2013/07/16 14:27:53.773 kid1| Acl.cc(349) matches: forwardTrafficSubnet1 > matched. > 2013/07/16 14:27:53.773 kid1| Acl.cc(363) matches: forwardTrafficSubnet1 > result is true > 2013/07/16 14:27:53.773 kid1| Checklist.cc(275) matchNode: 0x1d8afd8 > matched=1 async=0 finished=0 > 2013/07/16 14:27:53.773 kid1| Checklist.cc(260) matchNodes: 0x1d8afd8 > success: all ACLs matched > 2013/07/16 14:27:53.773 kid1| Checklist.cc(146) markFinished: 0x1d8afd8 > answer DENIED for first matching rule won > 2013/07/16 14:27:53.773 kid1| Checklist.cc(88) matchNonBlocking: > ACLChecklist::check: 0x1d8afd8 match found, calling back with DENIED > > I don't know why is says that the rule matched but that it is returning > DENIED. > > Cheers, Hi again, I wonder if anyone has any ideas on this one, at the moment this just doesn't seem to work. Cheers, -- Michael Graham
Re: [squid-users] X-Forwarded-For and cache_peer_access
On Tue, 2013-07-16 at 23:30 +1200, Amos Jeffries wrote: > Does the X-Forwarded-For header actually contain an IP from the > 172.21.120.0/24 subnet (and not some IPv6 address from that subnets > IPv6 ranges). Yeah it seems to be: GET http://www.google.com/ HTTP/1.1 Accept: */* Host: www.google.com User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 Via: 1.1 cake-icap (squid/3.3.6) X-Forwarded-For: 172.21.120.23 Cache-Control: max-age=259200 Connection: keep-alive > Also, re-check this after fixing the follow_x_forwarded_for trust > ACLs. That may be affecting the results. I've went back to the original lines: acl localsrc src 127.0.0.1 follow_x_forwarded_for allow localsrc Here is the output from debug_options ALL,1 17,9 28,9 when I make a request: 2013/07/16 14:27:53.773 kid1| Acl.cc(345) matches: ACLList::matches: checking forwardTrafficSubnet1 2013/07/16 14:27:53.773 kid1| Acl.cc(326) checklistMatches: ACL::checklistMatches: checking 'forwardTrafficSubnet1' 2013/07/16 14:27:53.773 kid1| Ip.cc(134) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 172.21.120.23/[:::::::ff00] (172.21.120.0) vs 172.21.120.0-[::]/[:::::::ff00] 2013/07/16 14:27:53.773 kid1| Ip.cc(560) match: aclIpMatchIp: '172.21.120.23' found 2013/07/16 14:27:53.773 kid1| Acl.cc(328) checklistMatches: ACL::ChecklistMatches: result for 'forwardTrafficSubnet1' is 1 2013/07/16 14:27:53.773 kid1| Acl.cc(349) matches: forwardTrafficSubnet1 matched. 2013/07/16 14:27:53.773 kid1| Acl.cc(363) matches: forwardTrafficSubnet1 result is true 2013/07/16 14:27:53.773 kid1| Checklist.cc(275) matchNode: 0x1d8afd8 matched=1 async=0 finished=0 2013/07/16 14:27:53.773 kid1| Checklist.cc(260) matchNodes: 0x1d8afd8 success: all ACLs matched 2013/07/16 14:27:53.773 kid1| Checklist.cc(146) markFinished: 0x1d8afd8 answer DENIED for first matching rule won 2013/07/16 14:27:53.773 kid1| Checklist.cc(88) matchNonBlocking: ACLChecklist::check: 0x1d8afd8 match found, calling back with DENIED I don't know why is says that the rule matched but that it is returning DENIED. Cheers, -- Michael Graham
Re: [squid-users] X-Forwarded-For and cache_peer_access
On 16/07/2013 7:31 a.m., Michael Graham wrote: Hi all, I'm having a problem getting squid to select the upstream proxy based on the source address set in the X-Forwarded-For header. Here is the appropriate lines from my squid.conf: follow_x_forwarded_for allow all You should never have "allow all" here even for just testing. What "allow all" means for that directive is to completely trust anything sent by any client and use the farthest back IP address found. Not very useful for testing whether your one-hop-away software is relaying you accurate details. What you need to do is limit this to only permit trusting the IP addresses of the upstream proxy which is supposed to be setting the XFF header. acl forwardTrafficSubnet1 src 172.21.120.0/24 cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1 never_direct deny forwardTrafficSubnet1 cache_peer_access 172.21.120.24 allow all never_direct allow all (I'm only using allow all for testing I promise!) But I am always getting forwarded to the parent peer even when I am coming from a machine on forwardTrafficSubnet1. As anyone has any success with this? Does the X-Forwarded-For header actually contain an IP from the 172.21.120.0/24 subnet (and not some IPv6 address from that subnets IPv6 ranges). Also, re-check this after fixing the follow_x_forwarded_for trust ACLs. That may be affecting the results. Amos
Re: [squid-users] X-Forwarded-For Header
El 29/04/2012 3:23, escribió: > Sorry for the top post. > > Firstly that website is broken. Xff is a list header and always has > been. > > Secondly 3.0 is an extremely old Squid version which only supports > on/off for the forwarded_for directive. You need to upgrade. > > Amos Thank you very much, Amos, I will update my squid installation as soon as I fix a problem with my test machine (RHEL + squid + kerberos + msktutil). Meanwhile, I need fix this problem in my current proxy server. I bypassed the website restriction using this: - request_header_access X-Forwarded-For deny all #forwarded_for off - With this config, squid doesn't include the Xff header and site allow the full access. Regards and thank you very much Fran M.
Re: [squid-users] X-Forwarded-For + Squid Version 3.0.STABLE8
On 21/02/2011 18:16, Amos Jeffries wrote: On 21/02/11 16:33, Pieter De Wit wrote: Hi Amos, just had a go at this: request_header_access X-Forwarded-For deny header_replace X-Forwarded-For and it's still passing XFF from another source thru - Nothing to urgent since the Deb6 boxes are getting built :) But if you spot something ? Just a typo missing "all" after the "deny ". and no value to hard-code into the header on the replace line. This one is tricky to use since you have to hard-code the value passed back, it wont contain the real client IP you want. Amos Yeah, not quite what we are after so squid 3.1.6 will have to do the trick :) Thanks for the time ! Pieter
Re: [squid-users] X-Forwarded-For + Squid Version 3.0.STABLE8
On 21/02/11 16:33, Pieter De Wit wrote: Hi Amos, just had a go at this: request_header_access X-Forwarded-For deny header_replace X-Forwarded-For and it's still passing XFF from another source thru - Nothing to urgent since the Deb6 boxes are getting built :) But if you spot something ? Just a typo missing "all" after the "deny ". and no value to hard-code into the header on the replace line. This one is tricky to use since you have to hard-code the value passed back, it wont contain the real client IP you want. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5
Re: [squid-users] X-Forwarded-For + Squid Version 3.0.STABLE8
Hi Amos, just had a go at this: request_header_access X-Forwarded-For deny header_replace X-Forwarded-For and it's still passing XFF from another source thru - Nothing to urgent since the Deb6 boxes are getting built :) But if you spot something ? Cheers, Pieter
Re: [squid-users] X-Forwarded-For + Squid Version 3.0.STABLE8
Hi Amos, Thanks for the reply - I remember seeing the doc bug :) I am building the Deb6 boxes as we speak (ext4+squid 3.1 is sounding very nice) Cheers, Pieter On Mon, 21 Feb 2011, Amos Jeffries wrote: On Mon, 21 Feb 2011 12:16:46 +1300 (NZDT), Pieter De Wit wrote: Hi Guys, I run a reverse proxy for a client. They are using XFF for restricting certain content to IP. We have noted that the following doesn't "appear" to work as it should: header_replace X-Forwarded-For allow all My understanding is that this will cause squid to replace the XFF header with it's own "client IP" ? No this will replace the content of X-Forwarded-For with the text "allow all". BUT, only if there is a corresponding "request_header_access X-Forwarded-For deny" line (or reply_header_access). FWIW there was a documentation bug for a while indicating that Squid would add its *own* IP to XFF. Squid will never do that. Only the remote visitors/client IP is added to XFF. I see there is various answers about this on the internet so I would like to know which one applies to this setup. In 3.0 you can use the header access denial + replace to strip out the existing header and add any desired forgery. In 3.1+ you can use "forwarded_for truncate" to erase a prior history trace and perform what you describe in a much cleaner way. This is not usually a good idea and only useful to paper around broken web app security vulnerabilities. Here is some more details on the proxy chain: client -> proxy1 -> proxy2 -> origin web server Proxy 1 should replace the XFF header no matter what, so that if "client" is behind a proxy, it doesn't matter. Well, truncate will do that, BUT using an origin server app which only pulls the *newest* IP off the list will be much better. And will protect against malicious forgery attacks as well. Proxy 2 should just pass the header as per normal, it doesn't matter if it adds an IP to the header. I am looking at replacing these boxes with Debian 6 boxes over the next week or so, but would really like to nail this one now :) Then you will have access to 3.1.6+ with the above mentioned forwarded_for extensions. In this setup in order to pass the client IP to the origin I would advise using this config: proxy 1: - nothing special. It will add the real client IP to X-Forwarded-For: header. - you MAY use "forwarded_for truncate" here to explicitly erase any past garbage. But see above. proxy 2: forwarded_for transparent - this will mean proxy 2 preserves the client IP proxy1 added as latest on the list, by not mentioning proxy1 - BE CAREFUL that the only way requests can reach proxy2 is via proxy1. origin: - trust proxy 2 as provider of X-Forwarded-For and grab the latest client from the XFF which it hands over. Amos
Re: [squid-users] X-Forwarded-For + Squid Version 3.0.STABLE8
On Mon, 21 Feb 2011 12:16:46 +1300 (NZDT), Pieter De Wit wrote: Hi Guys, I run a reverse proxy for a client. They are using XFF for restricting certain content to IP. We have noted that the following doesn't "appear" to work as it should: header_replace X-Forwarded-For allow all My understanding is that this will cause squid to replace the XFF header with it's own "client IP" ? No this will replace the content of X-Forwarded-For with the text "allow all". BUT, only if there is a corresponding "request_header_access X-Forwarded-For deny" line (or reply_header_access). FWIW there was a documentation bug for a while indicating that Squid would add its *own* IP to XFF. Squid will never do that. Only the remote visitors/client IP is added to XFF. I see there is various answers about this on the internet so I would like to know which one applies to this setup. In 3.0 you can use the header access denial + replace to strip out the existing header and add any desired forgery. In 3.1+ you can use "forwarded_for truncate" to erase a prior history trace and perform what you describe in a much cleaner way. This is not usually a good idea and only useful to paper around broken web app security vulnerabilities. Here is some more details on the proxy chain: client -> proxy1 -> proxy2 -> origin web server Proxy 1 should replace the XFF header no matter what, so that if "client" is behind a proxy, it doesn't matter. Well, truncate will do that, BUT using an origin server app which only pulls the *newest* IP off the list will be much better. And will protect against malicious forgery attacks as well. Proxy 2 should just pass the header as per normal, it doesn't matter if it adds an IP to the header. I am looking at replacing these boxes with Debian 6 boxes over the next week or so, but would really like to nail this one now :) Then you will have access to 3.1.6+ with the above mentioned forwarded_for extensions. In this setup in order to pass the client IP to the origin I would advise using this config: proxy 1: - nothing special. It will add the real client IP to X-Forwarded-For: header. - you MAY use "forwarded_for truncate" here to explicitly erase any past garbage. But see above. proxy 2: forwarded_for transparent - this will mean proxy 2 preserves the client IP proxy1 added as latest on the list, by not mentioning proxy1 - BE CAREFUL that the only way requests can reach proxy2 is via proxy1. origin: - trust proxy 2 as provider of X-Forwarded-For and grab the latest client from the XFF which it hands over. Amos
Re: [squid-users] X-Forwarded-For in squid3.0
On Sun, 7 Jun 2009 23:02:21 +0800 (CST), "Tech W." wrote: > Hi, > > Does squid-3.0 have X-Forwarded-For enabled built-in? > Since I don't see that a configure directive in squid.conf. > All squid 3.x have the basic forwarded_for on/off and forwarding additions working. 3.1 is needed for the more advanced reverse-proxy alterations and follow_x_forwarded_for operations. http://www.squid-cache.org/Doc/config/forwarded_for/ (NP: ignore the "2.3 Removed Directives" heading, the page generation seems to be a bit broken. Thats part of the 2.6 release notes that should not be there.) Amos
Re: [squid-users] X-Forwarded-For and Squid 3.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Amos Jeffries wrote: > Yes. It is already done and in Squid 3.1. > > We've had a fair number of annoyances found with the 3.1.0.2 packages > not including everything they needed for the new code. One more in > todays snapshot. So for testing I'd advise starting with the 20081118 > snapshot. > > Amos Thank you for the quick reply. So probabely we will upgrade to 3.1 then. - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJIWl8GgHcOSur6dQRAuKHAKDKj3uM7HUnKm2p4yJUJGco65jd1ACfZCVJ SpPG1GK3rWcIyCD4H17wMow= =D5p7 -END PGP SIGNATURE-
Re: [squid-users] X-Forwarded-For and Squid 3.0
Silamael wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! Are there any plans to implement the X-Forwarded-For feature in Squid3? We had to use Squid3 due to some ICAP project stuff and we will need the X-Forwarded-For feature for some other stuff too... Yes. It is already done and in Squid 3.1. We've had a fair number of annoyances found with the 3.1.0.2 packages not including everything they needed for the new code. One more in todays snapshot. So for testing I'd advise starting with the 20081118 snapshot. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2
Re: [squid-users] X-Forwarded-For in Squid3 STABLE1
On Wed, 2008-03-26 at 11:24 -0300, c0re dumped wrote: > Hello, > > Is there a new x-forwarded-for patch to be used on squid3 ? http://devel.squid-cache.org/projects.html#follow_xff but it hasn't been updated in quite some time.. (years) and probably doesn't work too well with current squid3... > In my opinion such a good feature must be added to the squid base > code. Then consider sponsoring adding this feature to Squid-3. Several of the Squid developers happily accept sponsored work. Or at minimum file a request in bugzilla to have this forward-ported to Squid-3 if there isn't one already. http://www.squid-cache.org/bugs/ Regards Henrik
Re: [squid-users] x-forwarded-for
On 9/24/07, Gustavo Uribe <[EMAIL PROTECTED]> wrote: > Hello list, sorry to bother you with a question, but i've been > browsing teh internets for a few hours now without finding a clue. > > What im trying to do is... get in squid access.log the client IP, but > since im using dansguardian , the "front" proxy is dg and squid only > sees conecctions from localhost... so i enabled forwarded-for and > x-forwarded-for in dansguardian as well compiled squid with > --x-forwarded-for, put forwarded_for on , but i still see only > localhost connections... what am i missing? > Check this post on the DG users list: http://tech.groups.yahoo.com/group/dansguardian/message/19532 It addresses this issue. Chris
Re: [squid-users] x-forwarded-for
On 24.09.07 19:32, Gustavo Uribe wrote: > Hello list, sorry to bother you with a question, but i've been > browsing teh internets for a few hours now without finding a clue. > > What im trying to do is... get in squid access.log the client IP, but > since im using dansguardian , the "front" proxy is dg and squid only > sees conecctions from localhost... so i enabled forwarded-for and > x-forwarded-for in dansguardian as well compiled squid with > --x-forwarded-for, put forwarded_for on , but i still see only > localhost connections... what am i missing? put localhost (DG) into follow_x_forwarded_for -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet.
Re: [squid-users] X-Forwarded-For Header and Rewriter
tis 2006-06-06 klockan 13:26 -0800 skrev Chris Robertson: > http://devel.squid-cache.org/projects.html#follow_xff might be just what > you are looking for. Be aware that development patches are not > supported and may set your hair on fire. This patch has been included in the upcoming 2.6 release. You are welcome to try out the 2.6 pre-release if you like to investigate this. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] X-Forwarded-For Header and Rewriter
[EMAIL PROTECTED] wrote: Hi, does anybody know if it is possible to access the X-Forwarded-Header inside of a rewriter script (squid used as reverse proxy). AFAIK, there is only the ip-address of the requesting server available which may be the ip of another cache-server. Background: We have another external cache server that queries our squids and we want to pass the client ip to an external script which makes decisions about the client ip: e.g. redirection to a special url if certain ips are there. I know that it is easy to trick the x-forwarded-header to fake ips, but nevertheless. if I use something like external_acl %SRC with an external script I can only say:OK or ERR, i.e. access or not. But I want to give the client different urls back depending on its ip. Or is there any other possibility to make such decisions (with the x-forwarded-for header information) outside the redirect script? thx in advance, max http://devel.squid-cache.org/projects.html#follow_xff might be just what you are looking for. Be aware that development patches are not supported and may set your hair on fire. Also, be aware: This patch changes the "configure.in" file, which is an input to "autoconf". You must run "bootstrap.sh" after applying this patch, and that will run "autoconf" for you. "autoconf" will generate a new "configure" script, which will have the new "--enable-follow-x-forwarded-for" option. Chris
RE: [squid-users] x-forwarded-for patch (again)
On Sun, 16 Oct 2005, [EMAIL PROTECTED] wrote: Squid has several enhancement options that may or may not fit any particular user, and most (if not all) of them are hosted on a dedicated squid projects page that used to be at squid.sourceforge.net Uset to? That page is very much still there.. but nowdays perhaps more commonly known as devel.squid-cache.org. Regards Henrik
RE: [squid-users] x-forwarded-for patch (again)
On Sun, 16 Oct 2005, Lucia Di Occhi wrote: I don't see anything with regard to the x-forward-patch being included in STABLE12. It's not. The diff file does not mention anything either. Is this a distro specific thing? What is talked about is the "Follow X-Forwarded-For headers" patch available from devel.squid-cache.org. The author of this patch kindly provided a Squid-2.5 version some years back, but it has not been maintained for more current Squid-2.5 versions (last patch update was 2003/11/23) and manual editing is now required to apply the patch to the current Squid releases. Regards Henrik
RE: [squid-users] x-forwarded-for patch (again)
Quoting Lucia Di Occhi <[EMAIL PROTECTED]>: I don't see anything with regard to the x-forward-patch being included in STABLE12. The diff file does not mention anything either. Is this a distro specific thing? Lucia: Squid has several enhancement options that may or may not fit any particular user, and most (if not all) of them are hosted on a dedicated squid projects page that used to be at squid.sourceforge.net using any one of these enhancements to squid may provide additional functionality that the main squid package is lacking. check it out. Rance
Re: [squid-users] x-forwarded-for patch (again)
On Sun, 16 Oct 2005, [EMAIL PROTECTED] wrote: as instructed I ran ./bootstrap.sh and I get this output and error message: WARNING: Cannot find automake version 1.5 Trying automake (GNU automake) 1.9.5 WARNING: Cannot find autoconf version 2.13 Trying autoconf (GNU Autoconf) 2.59 You need to fix this before continuing. Squid-2.5 requires the above autotool versions. Regards Henrik
RE: [squid-users] x-forwarded-for patch (again)
I don't see anything with regard to the x-forward-patch being included in STABLE12. The diff file does not mention anything either. Is this a distro specific thing? From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> To: squid-users@squid-cache.org Subject: [squid-users] x-forwarded-for patch (again) Date: Sun, 16 Oct 2005 21:31:40 + After following some instrucions on this list I downloaded squid-2.5.STABLE9 and patched with the x_forwarded_for patch and nothing works. here is a summary of what I did: downloaded and untarred STABLE9 Stefano (the squid package maintainer for squid) graciously provided me the ./configure statement he uses to build the slackware package and Ive enclosed that ./configure line below for reference. ./configure --bindir=/usr/sbin --sysconfdir=/etc/squid --datadir=/etc/squid --libexecdir=/usr/libexec/squid --localstatedir=/var/log/squid --enable-removal-policies="lru heap" --enable-auth="basic ntlm digest" --enable-basic-auth-helpers="NCSA MSNT SMB winbind YP" --enable-digest-auth-helpers=password --enable-external-acl-helpers="ip_user unix_group wbinfo_group winbind_group" --enable-ntlm-auth-helpers="SMB winbind" --enable-async-io --with-pthreads --with-aio --enable-storeio="ufs null aufs coss" --enable-delay-pools --enable-snmp --enable-ssl --enable-icmp --enable-cache-digests --disable-wccp --disable-http-violations --disable-ident-lookups --enable-useragent-log --enable-arp-acl --prefix=/usr (please excuse the wordwrap) STABLE9 configure works fine, and so does make all (I didnt make install) I patched the source with x_forwarded_for patch and manually applied the 2 failed hunks src/structs.h as instructed I ran ./bootstrap.sh and I get this output and error message: WARNING: Cannot find automake version 1.5 Trying automake (GNU automake) 1.9.5 WARNING: Cannot find autoconf version 2.13 Trying autoconf (GNU Autoconf) 2.59 acinclude.m4:10: warning: underquoted definition of AC_CHECK_SIZEOF_SYSTYPE run info '(automake)Extending aclocal' or see http://sources.redhat.com/automake/automake.html#Extending-aclocal acinclude.m4:49: warning: underquoted definition of AC_CHECK_SYSTYPE /usr/share/aclocal/pkg.m4:5: warning: underquoted definition of PKG_CHECK_MODULES /usr/share/aclocal/libIDL.m4:6: warning: underquoted definition of AM_PATH_LIBIDL /usr/share/aclocal/imlib.m4:9: warning: underquoted definition of AM_PATH_IMLIB /usr/share/aclocal/imlib.m4:167: warning: underquoted definition of AM_PATH_GDK_IMLIB /usr/share/aclocal/gtk.m4:7: warning: underquoted definition of AM_PATH_GTK /usr/share/aclocal/glib.m4:8: warning: underquoted definition of AM_PATH_GLIB /usr/share/aclocal/gdk-pixbuf.m4:12: warning: underquoted definition of AM_PATH_GDK_PIXBUF /usr/share/aclocal/audiofile.m4:12: warning: underquoted definition of AM_PATH_AUDIOFILE /usr/share/aclocal/aalib.m4:12: warning: underquoted definition of AM_PATH_AALIB /usr/share/aclocal/ORBit.m4:4: warning: underquoted definition of AM_PATH_ORBIT configure.in:1455: warning: AC_CHECK_TYPE: assuming `u_short' is not a type autoconf/types.m4:234: AC_CHECK_TYPE is expanded from... configure.in:1455: the top level autoheader: WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot' autoheader: WARNING: and `config.h.top', to define templates for `config.h.in' autoheader: WARNING: is deprecated and discouraged. autoheader: autoheader: WARNING: Using the third argument of `AC_DEFINE' and autoheader: WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without autoheader: WARNING: `acconfig.h': autoheader: autoheader: WARNING: AC_DEFINE([NEED_FUNC_MAIN], 1, autoheader: [Define if a function `main' is needed.]) autoheader: autoheader: WARNING: More sophisticated templates can also be produced, see the autoheader: WARNING: documentation. configure.in:1455: warning: AC_CHECK_TYPE: assuming `u_short' is not a type autoconf/types.m4:234: AC_CHECK_TYPE is expanded from... configure.in:1455: the top level configure.in:1455: warning: AC_CHECK_TYPE: assuming `u_short' is not a type autoconf/types.m4:234: AC_CHECK_TYPE is expanded from... configure.in:1455: the top level configure.in:1455: warning: AC_CHECK_TYPE: assuming `u_short' is not a type autoconf/types.m4:234: AC_CHECK_TYPE is expanded from... configure.in:1455: the top level configure.in:2214: error: do not use LIBOBJS directly, use AC_LIBOBJ (see section `AC_LIBOBJ vs LIBOBJS' If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoconf failed Autotool bootstrapping failed. You will need to investigate and correct before you can develop on this source tree As you can see the bootstrap of the new patch fails if I run /bootstrap.sh again then the output is the same as above but somehow the last sentence about the failure is gone, and all seems to have worked. however if you try to make all you are going to get a make warning stating that the linux_netfil
Re: [squid-users] x-forwarded-for patch for squid-2.5.Stable11
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sarav, Same here, until stable10, i can apply the rejects manually, but it doesnt work with stable11 anymore. regards, Kenneth > > > Anybody got success this patch with squid-2.5.STABLE11? Pls help > me. > > Sarav > > > > > __ Yahoo! Mail - PC Magazine > Editors' Choice 2005 http://mail.yahoo.com - -- Kenneth P. Oncinian Network Administrator Panasonic Communications Philippines Corporation Information Systems Division - Network and Systems Group - -- PGP Public Key: http://m.1asphost.com/koncinian/koncinian.gnupg.key -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.7 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDUIzZ9MTaiXoaMBgRAsjEAJ9FVpxvxMyQvC90jk0cB0hbSUeCYQCfUAlA Ztu1QK9MuS+GAIG5rQJmITU= =dHY0 -END PGP SIGNATURE-
Re: [squid-users] x-forwarded-for patch for squid-2.5.Stable11
> > > Download squid-2.5.STABLE9.tar.gz and > > > follow_xff-2.5.STABLE5.patch on /tmp > > > Extract the squid tar file with: tar xvfz > > > squid-2.5.STABLE9.tar.gz > > > copy follow_xff-2.5.STABLE5.patch to > > > /tmp/squid-2.5.STABLE9 > > > cd to /tmp/squid-2.5.STABLE9 and execute: patch > > -p0 > > > < > > > follow_xff-2.5.STABLE5.patch > > > > > > you should get the following errors: > > > > > > FedoraCore2[/tmp/squid-2.5.STABLE9]patch -p0 < > > > follow_xff-2.5.STABLE5.patch > > > patching file acconfig.h > > > patching file bootstrap.sh > > > Hunk #1 succeeded at 66 (offset 7 lines). > > > patching file configure.in > > > Hunk #1 succeeded at 1128 (offset 28 lines). > > > patching file src/acl.c > > > Hunk #1 succeeded at 2147 (offset 107 lines). > > > patching file src/cf.data.pre > > > Hunk #1 succeeded at 2144 (offset 29 lines). > > > patching file src/client_side.c > > > Hunk #2 succeeded at 185 (offset 2 lines). > > > Hunk #4 succeeded at 3308 (offset 58 lines). > > > patching file src/delay_pools.c > > > patching file src/structs.h > > > Hunk #1 FAILED at 594. > > > Hunk #2 succeeded at 634 (offset 14 lines). > > > Hunk #3 succeeded at 1621 (offset 2 lines). > > > Hunk #4 succeeded at 1684 (offset 14 lines). > > > Hunk #5 FAILED at 1697. > > > 2 out of 5 hunks FAILED -- saving rejects to > file > > > src/structs.h.rej > > > > > > This means that two hunks (parts) of the patch > > > failed to patch src/structs.h > > > at around lines 594 and 1697. Now look at the > > > src/structs.h.rej which > > > should look like this: > > > > > > *** > > > *** 594,599 > > > int pipeline_prefetch; > > > int request_entities; > > > int detect_broken_server_pconns; > > > } onoff; > > > acl *aclList; > > > struct { > > > --- 594,604 > > > int pipeline_prefetch; > > > int request_entities; > > > int detect_broken_server_pconns; > > > + #if FOLLOW_X_FORWARDED_FOR > > > +int acl_uses_indirect_client; > > > +int delay_pool_uses_indirect_client; > > > +int log_uses_indirect_client; > > > + #endif /* FOLLOW_X_FORWARDED_FOR */ > > > } onoff; > > > acl *aclList; > > > struct { > > > *** > > > *** 1681,1686 > > > char *peer_login; /* Configured > peer > > > login:password */ > > > time_t lastmod; /* Used on > > refreshes > > > */ > > > const char *vary_headers; /* Used when > > varying > > > entities are detected. > > > Chan > > > ges how the store key is calculated */ > > > }; > > > > > > struct _cachemgr_passwd { > > > --- 1697,1707 > > > char *peer_login; /* Configured > peer > > > login:password */ > > > time_t lastmod; /* Used on > > refreshes > > > */ > > > const char *vary_headers; /* Used when > > varying > > > entities are detected. > > > Chan > > > ges how the store key is calculated */ > > > + #if FOLLOW_X_FORWARDED_FOR > > > + /* XXX a list of IP addresses would be a > > > better data structure > > > + * than this String */ > > > + String x_forwarded_for_iterator; > > > + #endif /* FOLLOW_X_FORWARDED_FOR */ > > > }; > > > > > > struct _cachemgr_passwd { > > > > > > As you can see the patch has found some 'issues' > > on > > > line 594 where it was > > > expecting something that it did not find. No > > > problem, just open > > > src/structs.h with 'vi' and go to line 594 and > > > locate the line: > > > > > > int detect_broken_server_pconns; > > > > > > which should be somewhere around there. > > > now insert the following as described by the > .rej > > > file (remove the + which > > > means ADD) > > > > > > #if FOLLOW_X_FORWARDED_FOR > > > int acl_uses_indirect_client; > > > int delay_pool_uses_indirect_client; > > > int log_uses_indirect_client; > > > #endif /* FOLLOW_X_FORWARDED_FOR */ > > > > > > so around line 594 you should now have: > > > > > > int detect_broken_server_pconns; > > > #if FOLLOW_X_FORWARDED_FOR > > > int acl_uses_indirect_client; > > > int delay_pool_uses_indirect_client; > > > int log_uses_indirect_client; > > > #endif /* FOLLOW_X_FORWARDED_FOR */ > > > int balance_on_multiple_ip; > > > int relaxed_header_parser; > > > int accel_uses_host_header; > > > int accel_no_pmtu_disc; > > > } onoff; > > > acl *aclList; > > > > > > OK, let's now go to line 1697 (more or less > since > > we > > > have just added a few > > > lines around 594) > > > locate the line: > > > > > > const char *vary_headers; /* Used when varying > > > entities are detected. Chan > > > ges how the store key is calculated */ > > > > > > which should be somewhere around there. > > > now insert the following as described by the > .rej > > > file (remove the + which > > > means ADD) > > > > > > #if FOLLOW_X_FORWARDED_FOR > > > /* XXX a list of IP addresses w
Re: [squid-users] x-forwarded-for patch for squid-2.5.Stable11
> > I am posting this on both dansguardian and squid > > lists so that it can help > > anyone with the x-forwarded-for patch. > > > > Download squid-2.5.STABLE9.tar.gz and > > follow_xff-2.5.STABLE5.patch on /tmp > > Extract the squid tar file with: tar xvfz > > squid-2.5.STABLE9.tar.gz > > copy follow_xff-2.5.STABLE5.patch to > > /tmp/squid-2.5.STABLE9 > > cd to /tmp/squid-2.5.STABLE9 and execute: patch > -p0 > > < > > follow_xff-2.5.STABLE5.patch > > > > you should get the following errors: > > > > FedoraCore2[/tmp/squid-2.5.STABLE9]patch -p0 < > > follow_xff-2.5.STABLE5.patch > > patching file acconfig.h > > patching file bootstrap.sh > > Hunk #1 succeeded at 66 (offset 7 lines). > > patching file configure.in > > Hunk #1 succeeded at 1128 (offset 28 lines). > > patching file src/acl.c > > Hunk #1 succeeded at 2147 (offset 107 lines). > > patching file src/cf.data.pre > > Hunk #1 succeeded at 2144 (offset 29 lines). > > patching file src/client_side.c > > Hunk #2 succeeded at 185 (offset 2 lines). > > Hunk #4 succeeded at 3308 (offset 58 lines). > > patching file src/delay_pools.c > > patching file src/structs.h > > Hunk #1 FAILED at 594. > > Hunk #2 succeeded at 634 (offset 14 lines). > > Hunk #3 succeeded at 1621 (offset 2 lines). > > Hunk #4 succeeded at 1684 (offset 14 lines). > > Hunk #5 FAILED at 1697. > > 2 out of 5 hunks FAILED -- saving rejects to file > > src/structs.h.rej > > > > This means that two hunks (parts) of the patch > > failed to patch src/structs.h > > at around lines 594 and 1697. Now look at the > > src/structs.h.rej which > > should look like this: > > > > *** > > *** 594,599 > > int pipeline_prefetch; > > int request_entities; > > int detect_broken_server_pconns; > > } onoff; > > acl *aclList; > > struct { > > --- 594,604 > > int pipeline_prefetch; > > int request_entities; > > int detect_broken_server_pconns; > > + #if FOLLOW_X_FORWARDED_FOR > > +int acl_uses_indirect_client; > > +int delay_pool_uses_indirect_client; > > +int log_uses_indirect_client; > > + #endif /* FOLLOW_X_FORWARDED_FOR */ > > } onoff; > > acl *aclList; > > struct { > > *** > > *** 1681,1686 > > char *peer_login; /* Configured peer > > login:password */ > > time_t lastmod; /* Used on > refreshes > > */ > > const char *vary_headers; /* Used when > varying > > entities are detected. > > Chan > > ges how the store key is calculated */ > > }; > > > > struct _cachemgr_passwd { > > --- 1697,1707 > > char *peer_login; /* Configured peer > > login:password */ > > time_t lastmod; /* Used on > refreshes > > */ > > const char *vary_headers; /* Used when > varying > > entities are detected. > > Chan > > ges how the store key is calculated */ > > + #if FOLLOW_X_FORWARDED_FOR > > + /* XXX a list of IP addresses would be a > > better data structure > > + * than this String */ > > + String x_forwarded_for_iterator; > > + #endif /* FOLLOW_X_FORWARDED_FOR */ > > }; > > > > struct _cachemgr_passwd { > > > > As you can see the patch has found some 'issues' > on > > line 594 where it was > > expecting something that it did not find. No > > problem, just open > > src/structs.h with 'vi' and go to line 594 and > > locate the line: > > > > int detect_broken_server_pconns; > > > > which should be somewhere around there. > > now insert the following as described by the .rej > > file (remove the + which > > means ADD) > > > > #if FOLLOW_X_FORWARDED_FOR > > int acl_uses_indirect_client; > > int delay_pool_uses_indirect_client; > > int log_uses_indirect_client; > > #endif /* FOLLOW_X_FORWARDED_FOR */ > > > > so around line 594 you should now have: > > > > int detect_broken_server_pconns; > > #if FOLLOW_X_FORWARDED_FOR > > int acl_uses_indirect_client; > > int delay_pool_uses_indirect_client; > > int log_uses_indirect_client; > > #endif /* FOLLOW_X_FORWARDED_FOR */ > > int balance_on_multiple_ip; > > int relaxed_header_parser; > > int accel_uses_host_header; > > int accel_no_pmtu_disc; > > } onoff; > > acl *aclList; > > > > OK, let's now go to line 1697 (more or less since > we > > have just added a few > > lines around 594) > > locate the line: > > > > const char *vary_headers; /* Used when varying > > entities are detected. Chan > > ges how the store key is calculated */ > > > > which should be somewhere around there. > > now insert the following as described by the .rej > > file (remove the + which > > means ADD) > > > > #if FOLLOW_X_FORWARDED_FOR > > /* XXX a list of IP addresses would be a > better > > data structure > > * than this String */ > > String x_forwarded_for_iterator; > > #endif /* FOLLOW_X_FORWARDED_FOR */ > > > > so around line 1697 you
Re: [squid-users] x-forwarded-for patch install problem
On Fri, 11 Mar 2005, saravanan ganapathy wrote: Really I don't know what to be changed in src/structs.h & src/structs.h.rej Pls help me Sarav I tried to find the docs in the net,but couldn't. The .rej file shows what should be changed in the file. Regards Henrik
Re: [squid-users] x-forwarded-for patch install problem
--- saravanan ganapathy <[EMAIL PROTECTED]> wrote: > > --- Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > > > > > > On Wed, 9 Mar 2005, saravanan ganapathy wrote: > > > > >> Hand edit the files, adding the changes patch > > could > > >> not automatically > > >> figure out what to do with (failed/rejected). > > >> > > > > > > What are the files to be edited? What are all > the > > > changes to be done? > > > > See the output of the patch command. There is two > > filenames mentioned... > > > > patching file src/structs.h > > 2 out of 5 hunks FAILED -- saving rejects to > > file src/structs.h.rej > > > > Really I don't know what to be changed in > src/structs.h & src/structs.h.rej > > Pls help me > > Sarav I tried to find the docs in the net,but couldn't. Hope some of you already did this configuration. Can you pls help me? Sarav __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo
Re: [squid-users] x-forwarded-for patch install problem
--- Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > > > On Wed, 9 Mar 2005, saravanan ganapathy wrote: > > >> Hand edit the files, adding the changes patch > could > >> not automatically > >> figure out what to do with (failed/rejected). > >> > > > > What are the files to be edited? What are all the > > changes to be done? > > See the output of the patch command. There is two > filenames mentioned... > > patching file src/structs.h > 2 out of 5 hunks FAILED -- saving rejects to > file src/structs.h.rej > Really I don't know what to be changed in src/structs.h & src/structs.h.rej Pls help me Sarav __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
Re: [squid-users] x-forwarded-for patch install problem
On Wed, 9 Mar 2005, saravanan ganapathy wrote: Hand edit the files, adding the changes patch could not automatically figure out what to do with (failed/rejected). What are the files to be edited? What are all the changes to be done? See the output of the patch command. There is two filenames mentioned... patching file src/structs.h 2 out of 5 hunks FAILED -- saving rejects to file src/structs.h.rej Regards Henrik
Re: [squid-users] x-forwarded-for patch install problem
--- Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > > > On Wed, 9 Mar 2005, saravanan ganapathy wrote: > > > Hai > > > > When I tried to apply follow_xff-2.5.patch on > > squid-2.5.STABLE9 , I am getting the following > error > > > > patching file src/structs.h > > Hunk #1 FAILED at 592. > > Hunk #2 succeeded at 634 (offset 16 lines). > > Hunk #3 succeeded at 1619 (offset 7 lines). > > Hunk #4 succeeded at 1679 (offset 16 lines). > > Hunk #5 FAILED at 1692. > > 2 out of 5 hunks FAILED -- saving rejects to file > > src/structs.h.rej > > > > How to solve this problem? > > Hand edit the files, adding the changes patch could > not automatically > figure out what to do with (failed/rejected). > What are the files to be edited? What are all the changes to be done? Can u pls help me on this? Sarav __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] x-forwarded-for patch install problem
On Wed, 9 Mar 2005, saravanan ganapathy wrote: Hai When I tried to apply follow_xff-2.5.patch on squid-2.5.STABLE9 , I am getting the following error patching file src/structs.h Hunk #1 FAILED at 592. Hunk #2 succeeded at 634 (offset 16 lines). Hunk #3 succeeded at 1619 (offset 7 lines). Hunk #4 succeeded at 1679 (offset 16 lines). Hunk #5 FAILED at 1692. 2 out of 5 hunks FAILED -- saving rejects to file src/structs.h.rej How to solve this problem? Hand edit the files, adding the changes patch could not automatically figure out what to do with (failed/rejected). Regards Henrik
Re: [squid-users] X-Forwarded-For header cleanup
Yep, I think I'm in the same situation. I think it's better that when we set "forwarded_for off" in squid.conf, we should never see "X-Forwarded-For: Unknown." when there is no X-Forwarded-For previously, and squid will not add "unknown" when we already have one. On Wed, 17 Nov 2004 10:12:38 +0100, Janno de Wit <[EMAIL PROTECTED]> wrote: > Hi folks, > > My Squid always modifies the X-Forwarded-For header with the client-IP. > I'm now in a situation I want to keep the X-Forwarded-For header as it > is.. > As far as i see it's only possible to disable the X-forwarded-for > header, which will result the header as: > X-Forwarded-For: Unknown. > > At this time, I have already a X-Forwarded-For header. My final header > as Squid will send out is: > > X-Forwarded-For: , > > I want Squid to keep the header for what it is, thus: > input: > X-Forwarded-For: > ouput: > X-Forwarded-For: > > Is this possible? > > Thanks, Janno. >
Re: [squid-users] X-Forwarded-For
On Thu, 21 Oct 2004, Scott Mayo wrote: configure.in:: warning: AC_TRY_RUN called without default to allow cross compiling. It then said that bootstrapping was complete. Are these warnings alright? Yes. Regards Henrik
Re: [squid-users] X-Forwarded-For
On Thu, 21 Oct 2004, Scott Mayo wrote: After reading more about this, I assume that I need to actually go to http://ftp.gnu.org/gnu/autoconf/ and download the correct version of autoconf. Is downgrading to autoconf 2.13 going to effect anything else in my system? I am running Fedora 2. Fedora 2 has a autoconf213 package ready for you to use.. Regards Henrik
Re: [squid-users] X-Forwarded-For
On Thu, 21 Oct 2004, Scott Mayo wrote: I got to looking and there is actually only 1 major issue I guess. The others say that something is deprecated and discouraged. Can't find autoconf version 2.13 trying version 2.59 Squid-2.5 needs autoconf 2.13. You will also see this warning/error if you try to bootstrap the Squid-2.5 sources without any patches. autoconf is a GNU tool. Regards Henrik
Re: [squid-users] X-Forwarded-For
Scott Mayo wrote: Scott Mayo wrote: Scott Mayo wrote: Henrik Nordstrom wrote: On Wed, 20 Oct 2004, Scott Mayo wrote: I am trying to patch squid with X-Forwarded-For and run into all kinds of trouble. I downloaded squid-2.5.STABLE4 and the patch listed here: http://squid.sourceforge.net/follow_xff/ but when I do the patch and then run bootstrap.sh, I get all kinds of ERRORS and WARNINGS. What does the first few errors/warnings look like? I got to looking and there is actually only 1 major issue I guess. The others say that something is deprecated and discouraged. Can't find autoconf version 2.13 trying version 2.59 If I go to the cvs.devel.squid-cache.org repository and download the correct version of autoconf, will this work? I did not know if I could put an older version of this file in with this version of squid and everything would still be ok. After reading more about this, I assume that I need to actually go to http://ftp.gnu.org/gnu/autoconf/ and download the correct version of autoconf. Is downgrading to autoconf 2.13 going to effect anything else in my system? I am running Fedora 2. Thanks Scott I download and compiled the autoconf 2.13 and then ran the bootstrap. It gave a bunch of the same warnings: configure.in:: warning: AC_TRY_RUN called without default to allow cross compiling. It then said that bootstrapping was complete. Are these warnings alright? Thanks for the help. OK, from what I have read, this warning is nothing to be concerned with. Now my question is, since I have used the autoconf 2.13 to get the correct configure file, can I now go back to version 2.59 with know problems? -- Scott Mayo Technology Coordinator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Pager: 800-264-2535 X2549 Duct tape is like the force, it has a light side and a dark side and it holds the universe together.
RE: [squid-users] X-Forwarded-For
I'm actually looking for the same thing. Patches can be a pain sometimes. Mandrake has an updated RPM with the patch already built in, but I'm not sure if it would work on FC2. http://www.rpmfind.net//linux/RPM/cooker/cooker/i586/media/main/squid-2. 5.STABLE6-2mdk.i586.html -Devon -Original Message- From: Scott Mayo [mailto:[EMAIL PROTECTED] Sent: Thursday, October 21, 2004 11:54 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [squid-users] X-Forwarded-For Scott Mayo wrote: > Scott Mayo wrote: > >> Henrik Nordstrom wrote: >> >>> >>> >>> On Wed, 20 Oct 2004, Scott Mayo wrote: >>> >>>> I am trying to patch squid with X-Forwarded-For and run into all >>>> kinds of trouble. I downloaded squid-2.5.STABLE4 and the patch >>>> listed here: http://squid.sourceforge.net/follow_xff/ but when I do >>>> the patch and then run bootstrap.sh, I get all kinds of ERRORS and >>>> WARNINGS. >>> >>> >>> >>> >>> What does the first few errors/warnings look like? >>> >> >> I got to looking and there is actually only 1 major issue I guess. >> The others say that something is deprecated and discouraged. >> >> Can't find autoconf version 2.13 >> trying version 2.59 >> >> If I go to the cvs.devel.squid-cache.org repository and download the >> correct version of autoconf, will this work? I did not know if I >> could put an older version of this file in with this version of squid >> and everything would still be ok. > > > After reading more about this, I assume that I need to actually go to > http://ftp.gnu.org/gnu/autoconf/ and download the correct version of > autoconf. Is downgrading to autoconf 2.13 going to effect anything else > in my system? I am running Fedora 2. > Thanks Scott > I download and compiled the autoconf 2.13 and then ran the bootstrap. It gave a bunch of the same warnings: configure.in:: warning: AC_TRY_RUN called without default to allow cross compiling. It then said that bootstrapping was complete. Are these warnings alright? Thanks for the help. -- Scott Mayo Technology Coordinator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Pager: 800-264-2535 X2549 Duct tape is like the force, it has a light side and a dark side and it holds the universe together. - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
Re: [squid-users] X-Forwarded-For
Scott Mayo wrote: Scott Mayo wrote: Henrik Nordstrom wrote: On Wed, 20 Oct 2004, Scott Mayo wrote: I am trying to patch squid with X-Forwarded-For and run into all kinds of trouble. I downloaded squid-2.5.STABLE4 and the patch listed here: http://squid.sourceforge.net/follow_xff/ but when I do the patch and then run bootstrap.sh, I get all kinds of ERRORS and WARNINGS. What does the first few errors/warnings look like? I got to looking and there is actually only 1 major issue I guess. The others say that something is deprecated and discouraged. Can't find autoconf version 2.13 trying version 2.59 If I go to the cvs.devel.squid-cache.org repository and download the correct version of autoconf, will this work? I did not know if I could put an older version of this file in with this version of squid and everything would still be ok. After reading more about this, I assume that I need to actually go to http://ftp.gnu.org/gnu/autoconf/ and download the correct version of autoconf. Is downgrading to autoconf 2.13 going to effect anything else in my system? I am running Fedora 2. Thanks Scott I download and compiled the autoconf 2.13 and then ran the bootstrap. It gave a bunch of the same warnings: configure.in:: warning: AC_TRY_RUN called without default to allow cross compiling. It then said that bootstrapping was complete. Are these warnings alright? Thanks for the help. -- Scott Mayo Technology Coordinator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Pager: 800-264-2535 X2549 Duct tape is like the force, it has a light side and a dark side and it holds the universe together.
Re: [squid-users] X-Forwarded-For
Scott Mayo wrote: Henrik Nordstrom wrote: On Wed, 20 Oct 2004, Scott Mayo wrote: I am trying to patch squid with X-Forwarded-For and run into all kinds of trouble. I downloaded squid-2.5.STABLE4 and the patch listed here: http://squid.sourceforge.net/follow_xff/ but when I do the patch and then run bootstrap.sh, I get all kinds of ERRORS and WARNINGS. What does the first few errors/warnings look like? I got to looking and there is actually only 1 major issue I guess. The others say that something is deprecated and discouraged. Can't find autoconf version 2.13 trying version 2.59 If I go to the cvs.devel.squid-cache.org repository and download the correct version of autoconf, will this work? I did not know if I could put an older version of this file in with this version of squid and everything would still be ok. After reading more about this, I assume that I need to actually go to http://ftp.gnu.org/gnu/autoconf/ and download the correct version of autoconf. Is downgrading to autoconf 2.13 going to effect anything else in my system? I am running Fedora 2. Thanks Scott -- Scott Mayo Technology Coordinator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Pager: 800-264-2535 X2549 Duct tape is like the force, it has a light side and a dark side and it holds the universe together.
Re: [squid-users] X-Forwarded-For
Henrik Nordstrom wrote: On Wed, 20 Oct 2004, Scott Mayo wrote: I am trying to patch squid with X-Forwarded-For and run into all kinds of trouble. I downloaded squid-2.5.STABLE4 and the patch listed here: http://squid.sourceforge.net/follow_xff/ but when I do the patch and then run bootstrap.sh, I get all kinds of ERRORS and WARNINGS. What does the first few errors/warnings look like? I got to looking and there is actually only 1 major issue I guess. The others say that something is deprecated and discouraged. Can't find autoconf version 2.13 trying version 2.59 If I go to the cvs.devel.squid-cache.org repository and download the correct version of autoconf, will this work? I did not know if I could put an older version of this file in with this version of squid and everything would still be ok. Thanks for the help. -- Scott Mayo Technology Coordinator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Pager: 800-264-2535 X2549 Duct tape is like the force, it has a light side and a dark side and it holds the universe together.
Re: [squid-users] X-Forwarded-For
On Wed, 20 Oct 2004, Scott Mayo wrote: I am trying to patch squid with X-Forwarded-For and run into all kinds of trouble. I downloaded squid-2.5.STABLE4 and the patch listed here: http://squid.sourceforge.net/follow_xff/ but when I do the patch and then run bootstrap.sh, I get all kinds of ERRORS and WARNINGS. What does the first few errors/warnings look like? Regards Henrik
Re: [squid-users] X-Forwarded-For: unknown
On Mon, 12 Jul 2004, Marco Berizzi wrote: > I'm experimenting a problem with a web site because > X-Forwarded-For is unknown. If the X-Forwarded-For header says "unknown" then you have set "forwarded_for off" in squid.conf. If it is completely missing then you have denied it from header_access. Regards Henrik
Re: [squid-users] X-Forwarded-For: unknown
> > Buhh... sorry: 2.5.STABLE6 compiled from source on Slackware 9.1 > > kernel 2.4.26 gcc 3.2.3 glibc 2.3.2 > > > Ok, clueless for the moment,but one sanity check,to proof > that is related to the header_deny,header_access stuff you use > in squid.conf : > - if that is not done, is the situation normal again, > with respect to X-Forwarded-for behavior ? > If it is, then I have no further clues for the moment, other > then to report via BUG report. Opps I'm becoming small small small... found the error: sorry to everybody.
Re: [squid-users] X-Forwarded-For: unknown
> Squid version ? Buhh... sorry: 2.5.STABLE6 compiled from source on Slackware 9.1 kernel 2.4.26 gcc 3.2.3 glibc 2.3.2
RE: [squid-users] X-Forwarded-For: unknown
> > > However squid.conf.default shows that X-Forwarded-For is > > > on by default. > > > I presume this is not changed in the current squid.conf by > > setting this parameter to off , for instance ? > > No, it is not changed. > > > Probably not, you can debug the situation further with : > > > > http://www.showmyip.com > > > > Look for 'Forwarded'. > > Done: X-Forwarded-For:unknown > I have also tried with http://www.grc.com > > Squid version ? M.
Re: [squid-users] X-Forwarded-For: unknown
> > However squid.conf.default shows that X-Forwarded-For is > > on by default. > I presume this is not changed in the current squid.conf by > setting this parameter to off , for instance ? No, it is not changed. > Probably not, you can debug the situation further with : > > http://www.showmyip.com > > Look for 'Forwarded'. Done: X-Forwarded-For:unknown I have also tried with http://www.grc.com
RE: [squid-users] X-Forwarded-For: unknown
> > I'm experimenting a problem with a web site because > X-Forwarded-For is unknown. > > However squid.conf.default shows that X-Forwarded-For is > on by default. I presume this is not changed in the current squid.conf by setting this parameter to off , for instance ? > > My squid.conf modify only the User-Agent header: > > header_access User-Agent deny all > header_replace User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US; > rv:0.9.4) Gecko/20020508 Netscape6/6.2.3 > > Could it be a problem? Probably not, you can debug the situation further with : http://www.showmyip.com Look for 'Forwarded'. M.
Re: [squid-users] X-Forwarded-For header
On Tue, 3 Feb 2004, Abdul Khader wrote: > Hi all, > I have patched the squid with the X-Forward-For header > patch. > But, still no luck. I am still getting 127.0.0.1 in > access.log. Is Dansguardian sending a X-Forwarded-For header to Squid? Have you told Squid to look into the header? (see squid.conf.default after installing your patched Squid or the documentation on the follow_xff web site). Regards Henrik
Re: [squid-users] X-forwarded-for
mån 2003-03-17 klockan 18.04 skrev Marc Elsen: > [EMAIL PROTECTED] wrote: > > > > hi, i have the clients, behind them i have squid_A, and behind squid_A i > > have squid_B. > > > > i want that clients IP appear in access.log of squid_B, how i do it? > > > > regards. > > Drop back question : is this possible ? > > Answer : no Most things are possible in the world of Open Source, and this certainly is as it has already been done by others: http://devel.squid-cache.org/projects.html#follow_xff Regards Henrik -- Henrik Nordstrom <[EMAIL PROTECTED]> MARA Systems AB, Sweden
Re: [squid-users] X-forwarded-for
[EMAIL PROTECTED] wrote: > > hi, i have the clients, behind them i have squid_A, and behind squid_A i > have squid_B. > > i want that clients IP appear in access.log of squid_B, how i do it? > > regards. Drop back question : is this possible ? Answer : no M. -- 'Time is a consequence of Matter thus General Relativity is a direct consequence of QM (M.E. Mar 2002)
Re: [squid-users] X-forwarded-for
[EMAIL PROTECTED] wrote: > > i have the clients, behind then i have a squid , and behind i have another > proxy (blue coat). > > i want that blue coat see the IP of the clients instead of the squid IP, > but blue coat don`t see the X-forwarded-for parameter. > > my question is: is there another possibility that squid send to blue > coat the IP client instead of his own ip? No, because squid is a netw. application. Following the tcp/ip networking model, it has no access to that part of an ip packet. M. > thanks. -- 'Time is a consequence of Matter thus General Relativity is a direct consequence of QM (M.E. Mar 2002)
Re: [squid-users] X-Forwarded-For: header
Frank Liu wrote: > I actually tried that a few days ago (see my other post) and it didn't > work, which made me believe "header_replace" would only work for > headers set from the client, not for those headers set by squid itself. > > Now I re-read the squid.conf, maybe I have to "header_access" to deny > this header first, before "header_replace" can work??? Yes. Regards Henrik
Re: [squid-users] X-Forwarded-For: header
That works! amazing. I thought "header_access" and "header_replace" only works for the headers that come from the client. not the ones (like, X-Forwarded-For) that are set from squid itself. I actually tried header_replace X-Forwarded-For 1.2.3.4 a few days ago but still got "unknown". You probabably forgot to deny it with header_access first. btw, if I set "forwarded_for" to off, shouldn't squid stop sending the "X-Forwarded-For" header instead of sending a bogus "unknown"? I prefer to remove X-Forwarded-For from the source. Sometimes it leaks out from my configs and I am too lazy to find out what went wrong. Tesla _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus
Re: [squid-users] X-Forwarded-For: header
On Wed, 29 Jan 2003, Henrik Nordstrom wrote: > Frank Liu wrote: > > > 2) is it possible to config quid to send a user defined IP (say > >the IP of the proxy server itself), rather than "unknown" ? > > Should be possible to change the header to say whatever you feel like > via header_replace. I actually tried that a few days ago (see my other post) and it didn't work, which made me believe "header_replace" would only work for headers set from the client, not for those headers set by squid itself. Now I re-read the squid.conf, maybe I have to "header_access" to deny this header first, before "header_replace" can work??? thanks! frank > > > on a related one, is it possible to "insert" an customer HTTP header? > > Not without first coding the feature I think.. but maybe header_replace > can be used.. > > Regards > Henrik >
Re: [squid-users] X-Forwarded-For: header
Frank Liu wrote: > 2) is it possible to config quid to send a user defined IP (say >the IP of the proxy server itself), rather than "unknown" ? Should be possible to change the header to say whatever you feel like via header_replace. > on a related one, is it possible to "insert" an customer HTTP header? Not without first coding the feature I think.. but maybe header_replace can be used.. Regards Henrik
Re: [squid-users] X-Forwarded-For: header
That works! amazing. I thought "header_access" and "header_replace" only works for the headers that come from the client. not the ones (like, X-Forwarded-For) that are set from squid itself. I actually tried header_replace X-Forwarded-For 1.2.3.4 a few days ago but still got "unknown". btw, if I set "forwarded_for" to off, shouldn't squid stop sending the "X-Forwarded-For" header instead of sending a bogus "unknown"? Frank On Wed, 29 Jan 2003, Tesla 13 wrote: > >1) is it possible to config squid NOT to set this header at all? > > I think > header_access X-Forwarded-For deny all > should do. > > You can remove it from the source if you feel inclined so. Just do a grep > -r. > > Don't have answers to other questions. > > Tesla > > _ > Help STOP SPAM with the new MSN 8 and get 2 months FREE* > http://join.msn.com/?page=features/junkmail > >
Re: [squid-users] X-Forwarded-For: header
1) is it possible to config squid NOT to set this header at all? I think header_access X-Forwarded-For deny all should do. You can remove it from the source if you feel inclined so. Just do a grep -r. Don't have answers to other questions. Tesla _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail