Re: [squid-users] X-forwarded-for

2003-03-17 Thread Marc Elsen


[EMAIL PROTECTED] wrote:
> 
> i have the clients, behind then i have a squid , and behind i have another
> proxy (blue coat).
> 
> i want that blue coat see the IP of the clients instead of the squid IP,
> but blue coat don`t  see the X-forwarded-for parameter.
> 
> my question is: is there another  possibility that squid send to blue
> coat the IP client instead of his own ip?

 No, because squid is a netw. application.
 Following the tcp/ip networking model, it has no access to that
 part of an ip packet.

 M.

> thanks.

-- 

 'Time is a consequence of Matter thus
 General Relativity is a direct consequence of QM
 (M.E. Mar 2002)


Re: [squid-users] X-forwarded-for

2003-03-17 Thread Marc Elsen


[EMAIL PROTECTED] wrote:
> 
> hi, i have the clients, behind them i have squid_A, and behind squid_A i
> have squid_B.
> 
> i want that clients IP appear in access.log of squid_B, how i do it?
> 
> regards.

  Drop back question : is this possible ?

  Answer : no

  M.


-- 

 'Time is a consequence of Matter thus
 General Relativity is a direct consequence of QM
 (M.E. Mar 2002)


Re: [squid-users] X-forwarded-for

2003-03-17 Thread Henrik Nordstrom
mån 2003-03-17 klockan 18.04 skrev Marc Elsen:
> [EMAIL PROTECTED] wrote:
> > 
> > hi, i have the clients, behind them i have squid_A, and behind squid_A i
> > have squid_B.
> > 
> > i want that clients IP appear in access.log of squid_B, how i do it?
> > 
> > regards.
> 
>   Drop back question : is this possible ?
> 
>   Answer : no

Most things are possible in the world of Open Source, and this certainly
is as it has already been done by others:

http://devel.squid-cache.org/projects.html#follow_xff


Regards
Henrik

-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden



Re: [squid-users] x-forwarded-for

2007-09-28 Thread Matus UHLAR - fantomas
On 24.09.07 19:32, Gustavo Uribe wrote:
> Hello list, sorry to bother you with a question, but i've been
> browsing teh internets for a few hours now without finding a clue.
> 
> What im trying to do is... get in squid access.log the client IP, but
> since im using dansguardian , the "front" proxy is dg and squid only
> sees conecctions from localhost... so i enabled forwarded-for and
> x-forwarded-for in dansguardian as well compiled squid with
> --x-forwarded-for, put forwarded_for on , but i still see only
> localhost connections... what am i missing?

put localhost (DG) into follow_x_forwarded_for
-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet. 


Re: [squid-users] x-forwarded-for

2007-09-28 Thread Chris Nighswonger
On 9/24/07, Gustavo Uribe <[EMAIL PROTECTED]> wrote:
> Hello list, sorry to bother you with a question, but i've been
> browsing teh internets for a few hours now without finding a clue.
>
> What im trying to do is... get in squid access.log the client IP, but
> since im using dansguardian , the "front" proxy is dg and squid only
> sees conecctions from localhost... so i enabled forwarded-for and
> x-forwarded-for in dansguardian as well compiled squid with
> --x-forwarded-for, put forwarded_for on , but i still see only
> localhost connections... what am i missing?
>

Check this post on the DG users list:

http://tech.groups.yahoo.com/group/dansguardian/message/19532

It addresses this issue.

Chris


Re: [squid-users] X-Forwarded-For

2004-10-21 Thread Henrik Nordstrom

On Wed, 20 Oct 2004, Scott Mayo wrote:
I am trying to patch squid with X-Forwarded-For and run into all kinds of 
trouble.  I downloaded squid-2.5.STABLE4 and the patch listed here: 
http://squid.sourceforge.net/follow_xff/ but when I do the patch and then run 
bootstrap.sh, I get all kinds of ERRORS and WARNINGS.
What does the first few errors/warnings look like?
Regards
Henrik


Re: [squid-users] X-Forwarded-For

2004-10-21 Thread Scott Mayo
Henrik Nordstrom wrote:

On Wed, 20 Oct 2004, Scott Mayo wrote:
I am trying to patch squid with X-Forwarded-For and run into all kinds 
of trouble.  I downloaded squid-2.5.STABLE4 and the patch listed here: 
http://squid.sourceforge.net/follow_xff/ but when I do the patch and 
then run bootstrap.sh, I get all kinds of ERRORS and WARNINGS.

What does the first few errors/warnings look like?
I got to looking and there is actually only 1 major issue I guess.  The 
others say that something is deprecated and discouraged.

Can't find autoconf version 2.13
trying version 2.59
If I go to the cvs.devel.squid-cache.org repository and download the 
correct version of autoconf, will this work?  I did not know if I could 
put an older version of this file in with this version of squid and 
everything would still be ok.

Thanks for the help.
--
Scott Mayo
Technology Coordinator
Bloomfield Schools
PH: 573-568-5669
FA: 573-568-4565
Pager: 800-264-2535 X2549
Duct tape is like the force, it has a light side and a dark side and it
holds the universe together.


Re: [squid-users] X-Forwarded-For

2004-10-21 Thread Scott Mayo
Scott Mayo wrote:
Henrik Nordstrom wrote:

On Wed, 20 Oct 2004, Scott Mayo wrote:
I am trying to patch squid with X-Forwarded-For and run into all 
kinds of trouble.  I downloaded squid-2.5.STABLE4 and the patch 
listed here: http://squid.sourceforge.net/follow_xff/ but when I do 
the patch and then run bootstrap.sh, I get all kinds of ERRORS and 
WARNINGS.

What does the first few errors/warnings look like?
I got to looking and there is actually only 1 major issue I guess.  The 
others say that something is deprecated and discouraged.

Can't find autoconf version 2.13
trying version 2.59
If I go to the cvs.devel.squid-cache.org repository and download the 
correct version of autoconf, will this work?  I did not know if I could 
put an older version of this file in with this version of squid and 
everything would still be ok.
After reading more about this, I assume that I need to actually go to 
http://ftp.gnu.org/gnu/autoconf/ and download the correct version of 
autoconf.  Is downgrading to autoconf 2.13 going to effect anything else 
in my system?  I am running Fedora 2.
Thanks Scott

--
Scott Mayo
Technology Coordinator
Bloomfield Schools
PH: 573-568-5669
FA: 573-568-4565
Pager: 800-264-2535 X2549
Duct tape is like the force, it has a light side and a dark side and it
holds the universe together.


Re: [squid-users] X-Forwarded-For

2004-10-21 Thread Scott Mayo
Scott Mayo wrote:
Scott Mayo wrote:
Henrik Nordstrom wrote:

On Wed, 20 Oct 2004, Scott Mayo wrote:
I am trying to patch squid with X-Forwarded-For and run into all 
kinds of trouble.  I downloaded squid-2.5.STABLE4 and the patch 
listed here: http://squid.sourceforge.net/follow_xff/ but when I do 
the patch and then run bootstrap.sh, I get all kinds of ERRORS and 
WARNINGS.


What does the first few errors/warnings look like?
I got to looking and there is actually only 1 major issue I guess.  
The others say that something is deprecated and discouraged.

Can't find autoconf version 2.13
trying version 2.59
If I go to the cvs.devel.squid-cache.org repository and download the 
correct version of autoconf, will this work?  I did not know if I 
could put an older version of this file in with this version of squid 
and everything would still be ok.

After reading more about this, I assume that I need to actually go to 
http://ftp.gnu.org/gnu/autoconf/ and download the correct version of 
autoconf.  Is downgrading to autoconf 2.13 going to effect anything else 
in my system?  I am running Fedora 2.
Thanks Scott

I download and compiled the autoconf 2.13 and then ran the bootstrap. 
It gave a bunch of the same warnings:

configure.in:: warning: AC_TRY_RUN called without default to allow 
cross compiling.

It then said that bootstrapping was complete.  Are these warnings alright?
Thanks for the help.
--
Scott Mayo
Technology Coordinator
Bloomfield Schools
PH: 573-568-5669
FA: 573-568-4565
Pager: 800-264-2535 X2549
Duct tape is like the force, it has a light side and a dark side and it
holds the universe together.


RE: [squid-users] X-Forwarded-For

2004-10-21 Thread Harding, Devon
I'm actually looking for the same thing.  Patches can be a pain
sometimes.

Mandrake has an updated RPM with the patch already built in, but I'm not
sure if it would work on FC2.  

http://www.rpmfind.net//linux/RPM/cooker/cooker/i586/media/main/squid-2.
5.STABLE6-2mdk.i586.html 

-Devon

-Original Message-
From: Scott Mayo [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 21, 2004 11:54 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [squid-users] X-Forwarded-For

Scott Mayo wrote:

> Scott Mayo wrote:
> 
>> Henrik Nordstrom wrote:
>>
>>>
>>>
>>> On Wed, 20 Oct 2004, Scott Mayo wrote:
>>>
>>>> I am trying to patch squid with X-Forwarded-For and run into all 
>>>> kinds of trouble.  I downloaded squid-2.5.STABLE4 and the patch 
>>>> listed here: http://squid.sourceforge.net/follow_xff/ but when I do

>>>> the patch and then run bootstrap.sh, I get all kinds of ERRORS and 
>>>> WARNINGS.
>>>
>>>
>>>
>>>
>>> What does the first few errors/warnings look like?
>>>
>>
>> I got to looking and there is actually only 1 major issue I guess.  
>> The others say that something is deprecated and discouraged.
>>
>> Can't find autoconf version 2.13
>> trying version 2.59
>>
>> If I go to the cvs.devel.squid-cache.org repository and download the 
>> correct version of autoconf, will this work?  I did not know if I 
>> could put an older version of this file in with this version of squid

>> and everything would still be ok.
> 
> 
> After reading more about this, I assume that I need to actually go to 
> http://ftp.gnu.org/gnu/autoconf/ and download the correct version of 
> autoconf.  Is downgrading to autoconf 2.13 going to effect anything
else 
> in my system?  I am running Fedora 2.
> Thanks Scott
> 
I download and compiled the autoconf 2.13 and then ran the bootstrap. 
It gave a bunch of the same warnings:

configure.in:: warning: AC_TRY_RUN called without default to allow 
cross compiling.

It then said that bootstrapping was complete.  Are these warnings
alright?
Thanks for the help.

-- 
Scott Mayo
Technology Coordinator
Bloomfield Schools
PH: 573-568-5669
FA: 573-568-4565
Pager: 800-264-2535 X2549

Duct tape is like the force, it has a light side and a dark side and it
holds the universe together.

-
__  This message and any attachments are
solely for the intended recipient and may contain confidential or
privileged information.  If you are not the intended recipient, any
disclosure, copying, use or distribution of the information included in the
message and any attachments is prohibited.  If you have received this
communication in error, please notify us by reply e-mail and immediately
and permanently delete this message and any attachments.  Thank You.



Re: [squid-users] X-Forwarded-For

2004-10-21 Thread Scott Mayo
Scott Mayo wrote:
Scott Mayo wrote:
Scott Mayo wrote:
Henrik Nordstrom wrote:

On Wed, 20 Oct 2004, Scott Mayo wrote:
I am trying to patch squid with X-Forwarded-For and run into all 
kinds of trouble.  I downloaded squid-2.5.STABLE4 and the patch 
listed here: http://squid.sourceforge.net/follow_xff/ but when I do 
the patch and then run bootstrap.sh, I get all kinds of ERRORS and 
WARNINGS.


What does the first few errors/warnings look like?
I got to looking and there is actually only 1 major issue I guess.  
The others say that something is deprecated and discouraged.

Can't find autoconf version 2.13
trying version 2.59
If I go to the cvs.devel.squid-cache.org repository and download the 
correct version of autoconf, will this work?  I did not know if I 
could put an older version of this file in with this version of squid 
and everything would still be ok.

After reading more about this, I assume that I need to actually go to 
http://ftp.gnu.org/gnu/autoconf/ and download the correct version of 
autoconf.  Is downgrading to autoconf 2.13 going to effect anything 
else in my system?  I am running Fedora 2.
Thanks Scott

I download and compiled the autoconf 2.13 and then ran the bootstrap. It 
gave a bunch of the same warnings:

configure.in:: warning: AC_TRY_RUN called without default to allow 
cross compiling.

It then said that bootstrapping was complete.  Are these warnings alright?
Thanks for the help.
OK, from what I have read, this warning is nothing to be concerned with. 
 Now my question is, since I have used the autoconf 2.13 to get the 
correct configure file, can I now go back to version 2.59 with know 
problems?

--
Scott Mayo
Technology Coordinator
Bloomfield Schools
PH: 573-568-5669
FA: 573-568-4565
Pager: 800-264-2535 X2549
Duct tape is like the force, it has a light side and a dark side and it
holds the universe together.


Re: [squid-users] X-Forwarded-For

2004-10-21 Thread Henrik Nordstrom
On Thu, 21 Oct 2004, Scott Mayo wrote:
I got to looking and there is actually only 1 major issue I guess.  The 
others say that something is deprecated and discouraged.

Can't find autoconf version 2.13
trying version 2.59
Squid-2.5 needs autoconf 2.13. You will also see this warning/error if you 
try to bootstrap the Squid-2.5 sources without any patches.

autoconf is a GNU tool.
Regards
Henrik


Re: [squid-users] X-Forwarded-For

2004-10-21 Thread Henrik Nordstrom
On Thu, 21 Oct 2004, Scott Mayo wrote:
After reading more about this, I assume that I need to actually go to 
http://ftp.gnu.org/gnu/autoconf/ and download the correct version of 
autoconf.  Is downgrading to autoconf 2.13 going to effect anything else in 
my system?  I am running Fedora 2.
Fedora 2 has a autoconf213 package ready for you to use..
Regards
Henrik


Re: [squid-users] X-Forwarded-For

2004-10-21 Thread Henrik Nordstrom
On Thu, 21 Oct 2004, Scott Mayo wrote:
configure.in:: warning: AC_TRY_RUN called without default to allow cross 
compiling.

It then said that bootstrapping was complete.  Are these warnings alright?
Yes.
Regards
Henrik


Re: [squid-users] X-Forwarded-For Header

2012-04-29 Thread Fran Márquez

El 29/04/2012 3:23,  escribió:
> Sorry for the top post.
> 
> Firstly that website is broken. Xff is a list header and always has
> been.
> 
> Secondly 3.0 is an extremely old Squid version which only supports 
> on/off for the forwarded_for directive. You need to upgrade.
> 
> Amos

Thank you very much, Amos,

I will update my squid installation as soon as I fix a problem with my
test machine (RHEL + squid + kerberos + msktutil). Meanwhile, I need
fix this problem in my current proxy server.

I bypassed the website restriction using this:

-
request_header_access X-Forwarded-For deny all
#forwarded_for off
-

With this config, squid doesn't include the Xff header and site allow
the full access.

Regards and thank you very much

Fran M.


Re: [squid-users] x-forwarded-for Fail

2013-10-09 Thread Alex Rousskov
On 10/09/2013 10:15 AM, merc1...@f-m.fm wrote:
> Looks like turning off x-forwarded-for, has been disabled now.  Nothing
> works.

> To see what I'm talking about, go to
> http://www.ericgiguere.com/tools/http-header-viewer.html


The above web page hosts a script that cannot be used as intended
because it sits behind a server that adds X-Forwarded-For and alters
some other HTTP headers.

Try testing with something more reliable, like taking a packet capture
and looking at the actual HTTP requests sent by Squid.


HTH,

Alex.



Re: [squid-users] x-forwarded-for Fail

2013-10-09 Thread merc1984

Well for Heaven's sake.

What motivation could he possibly have for dinking with teh headers?


On Wed, Oct 9, 2013, at 11:08, Alex Rousskov wrote:
> On 10/09/2013 10:15 AM, merc1...@f-m.fm wrote:
> > Looks like turning off x-forwarded-for, has been disabled now.  Nothing
> > works.
> 
> > To see what I'm talking about, go to
> > http://www.ericgiguere.com/tools/http-header-viewer.html
> 
> 
> The above web page hosts a script that cannot be used as intended
> because it sits behind a server that adds X-Forwarded-For and alters
> some other HTTP headers.
> 
> Try testing with something more reliable, like taking a packet capture
> and looking at the actual HTTP requests sent by Squid.
> 
> 
> HTH,
> 
> Alex.
> 

-- 
http://www.fastmail.fm - Choose from over 50 domains or use your own



Re: [squid-users] x-forwarded-for Fail

2013-10-09 Thread Will Roberts

I think you missed Alex's point.

That page itself sits behind a reverse proxy that adds X-Forwarded-For. 
So using that for your testing isn't going to help.



On 10/09/2013 03:01 PM, merc1...@f-m.fm wrote:

Well for Heaven's sake.

What motivation could he possibly have for dinking with teh headers?


On Wed, Oct 9, 2013, at 11:08, Alex Rousskov wrote:

On 10/09/2013 10:15 AM, merc1...@f-m.fm wrote:

Looks like turning off x-forwarded-for, has been disabled now.  Nothing
works.
To see what I'm talking about, go to
http://www.ericgiguere.com/tools/http-header-viewer.html


The above web page hosts a script that cannot be used as intended
because it sits behind a server that adds X-Forwarded-For and alters
some other HTTP headers.

Try testing with something more reliable, like taking a packet capture
and looking at the actual HTTP requests sent by Squid.


HTH,

Alex.





Re: [squid-users] x-forwarded-for Fail

2013-10-09 Thread merc1984
Didn't miss his point and I understand exactly what he said.

My question is what possible motive could ericgiguere have for
misrepresenting headers, on a header query site?

It just doesn't make sense.


On Wed, Oct 9, 2013, at 12:05, Will Roberts wrote:
> I think you missed Alex's point.
> 
> That page itself sits behind a reverse proxy that adds X-Forwarded-For. 
> So using that for your testing isn't going to help.
> 
> 
> On 10/09/2013 03:01 PM, merc1...@f-m.fm wrote:
> > Well for Heaven's sake.
> >
> > What motivation could he possibly have for dinking with teh headers?
> >
> >
> > On Wed, Oct 9, 2013, at 11:08, Alex Rousskov wrote:
> >> On 10/09/2013 10:15 AM, merc1...@f-m.fm wrote:
> >>> Looks like turning off x-forwarded-for, has been disabled now.  Nothing
> >>> works.
> >>> To see what I'm talking about, go to
> >>> http://www.ericgiguere.com/tools/http-header-viewer.html
> >>
> >> The above web page hosts a script that cannot be used as intended
> >> because it sits behind a server that adds X-Forwarded-For and alters
> >> some other HTTP headers.
> >>
> >> Try testing with something more reliable, like taking a packet capture
> >> and looking at the actual HTTP requests sent by Squid.
> >>
> >>
> >> HTH,
> >>
> >> Alex.
> >>
> 

-- 
http://www.fastmail.fm - Email service worth paying for. Try it for free



Re: [squid-users] x-forwarded-for Fail

2013-10-09 Thread Will Roberts
I'm sure it wasn't malicious. That tool was put up in 2003. At some 
point in the past 10 years he probably put a reverse proxy in front of 
his site. Maybe you should email him and tell him he's broken his header 
tool.


On 10/09/2013 03:55 PM, merc1...@f-m.fm wrote:

Didn't miss his point and I understand exactly what he said.

My question is what possible motive could ericgiguere have for
misrepresenting headers, on a header query site?

It just doesn't make sense.


On Wed, Oct 9, 2013, at 12:05, Will Roberts wrote:

I think you missed Alex's point.

That page itself sits behind a reverse proxy that adds X-Forwarded-For.
So using that for your testing isn't going to help.


On 10/09/2013 03:01 PM, merc1...@f-m.fm wrote:

Well for Heaven's sake.

What motivation could he possibly have for dinking with teh headers?


On Wed, Oct 9, 2013, at 11:08, Alex Rousskov wrote:

On 10/09/2013 10:15 AM, merc1...@f-m.fm wrote:

Looks like turning off x-forwarded-for, has been disabled now.  Nothing
works.
To see what I'm talking about, go to
http://www.ericgiguere.com/tools/http-header-viewer.html

The above web page hosts a script that cannot be used as intended
because it sits behind a server that adds X-Forwarded-For and alters
some other HTTP headers.

Try testing with something more reliable, like taking a packet capture
and looking at the actual HTTP requests sent by Squid.


HTH,

Alex.





Re: [squid-users] x-forwarded-for Fail

2013-10-09 Thread Amos Jeffries

On 10/10/2013 9:05 a.m., Will Roberts wrote:
I'm sure it wasn't malicious. That tool was put up in 2003. At some 
point in the past 10 years he probably put a reverse proxy in front of 
his site. Maybe you should email him and tell him he's broken his 
header tool.


But ... has he actually broken it? or is teh breakage something deeper, 
like the assumption that it can be done at all?


All such online header tools are really only delivering a report of the 
headers which reached them. None of them have ever displayed "The 
Truth"(tm). The internals of the browser itself contains a set of layers 
doing header additions and changes. The same is (supposed to be) true of 
every extra layer of software proxies across the network.


This case is a great example of how no matter what header manipulation 
you do in your own proxy it cannot change what others are doing to the 
traffic elsewhere. The CDN he uses adding its own X-Forwarded-* headers. 
Your own upstream provider might add the X-Forwarded-For header adding 
details about you. Every proxy along the way removes existing hop-by-hop 
headers and adds new ones.


One interesting case here is that if you add X-Forwarded-For on your 
requests, does that value show up at his end?


Amos



Re: [squid-users] x-forwarded-for Fail

2013-10-09 Thread merc1984
On Wed, Oct 9, 2013, at 20:35, Amos Jeffries wrote:
> All such online header tools are really only delivering a report of the 
> headers which reached them. None of them have ever displayed "The 
> Truth"(tm). The internals of the browser itself contains a set of layers 
> doing header additions and changes. The same is (supposed to be) true of 
> every extra layer of software proxies across the network.

I just can't believe that someone would just keep a lying tool up. 
Maybe I'll send him an email.


> This case is a great example of how no matter what header manipulation 
> you do in your own proxy it cannot change what others are doing to the 
> traffic elsewhere. The CDN he uses adding its own X-Forwarded-* headers. 
> Your own upstream provider might add the X-Forwarded-For header adding 
> details about you. Every proxy along the way removes existing hop-by-hop 
> headers and adds new ones.

Crumcast shouldn't be manipulating my HTML headers;  that would cost too
much.


> One interesting case here is that if you add X-Forwarded-For on your 
> requests, does that value show up at his end?

I did try setting it to 127.0.0.1, but it didn't fool him.

Interestingly I run NoScript and have all scripting turned off for his
site, yet he still comes up with my IP.  Hm, maybe Crumcast is narcking
me out.


-- 
http://www.fastmail.fm - One of many happy users:
  http://www.fastmail.fm/help/overview_quotes.html



Re: [squid-users] x-forwarded-for Fail

2013-10-09 Thread Amos Jeffries

On 10/10/2013 5:53 p.m., merc1...@f-m.fm wrote:

On Wed, Oct 9, 2013, at 20:35, Amos Jeffries wrote:

All such online header tools are really only delivering a report of the
headers which reached them. None of them have ever displayed "The
Truth"(tm). The internals of the browser itself contains a set of layers
doing header additions and changes. The same is (supposed to be) true of
every extra layer of software proxies across the network.

I just can't believe that someone would just keep a lying tool up.
Maybe I'll send him an email.



This case is a great example of how no matter what header manipulation
you do in your own proxy it cannot change what others are doing to the
traffic elsewhere. The CDN he uses adding its own X-Forwarded-* headers.
Your own upstream provider might add the X-Forwarded-For header adding
details about you. Every proxy along the way removes existing hop-by-hop
headers and adds new ones.

Crumcast shouldn't be manipulating my HTML headers;  that would cost too
much.


HTML is a different story entirely from HTTP.
Manipuation of HTTP headers on every relay point they cross is mandatory.





One interesting case here is that if you add X-Forwarded-For on your
requests, does that value show up at his end?

I did try setting it to 127.0.0.1, but it didn't fool him.

Interestingly I run NoScript and have all scripting turned off for his
site, yet he still comes up with my IP.  Hm, maybe Crumcast is narcking
me out.


Probably. They do have to send packets from your IP to his IP and get 
the responses back to you.


Amos


Re: [squid-users] x-forwarded-for Fail

2013-10-10 Thread merc1984
> HTML is a different story entirely from HTTP.
> Manipuation of HTTP headers on every relay point they cross is mandatory.

Why?

> >> One interesting case here is that if you add X-Forwarded-For on your
> >> requests, does that value show up at his end?
> > I did try setting it to 127.0.0.1, but it didn't fool him.
> >
> > Interestingly I run NoScript and have all scripting turned off for his
> > site, yet he still comes up with my IP.  Hm, maybe Crumcast is narcking
> > me out.
> 
> Probably. They do have to send packets from your IP to his IP and get 
> the responses back to you.

In order to get back to me my IP is in the packet headers.  No need for
them to be in http headers.

That's why you can (ostensibly) turn off x-forwarded-for in squid.conf.


-- 
http://www.fastmail.fm - Access all of your messages and folders
  wherever you are



Re: [squid-users] x-forwarded-for Fail

2013-10-10 Thread Amos Jeffries

On 11/10/2013 2:44 a.m., merc1...@f-m.fm wrote:

HTML is a different story entirely from HTTP.
Manipuation of HTTP headers on every relay point they cross is mandatory.

Why?


One interesting case here is that if you add X-Forwarded-For on your
requests, does that value show up at his end?

I did try setting it to 127.0.0.1, but it didn't fool him.

Interestingly I run NoScript and have all scripting turned off for his
site, yet he still comes up with my IP.  Hm, maybe Crumcast is narcking
me out.

Probably. They do have to send packets from your IP to his IP and get
the responses back to you.

In order to get back to me my IP is in the packet headers.  No need for
them to be in http headers.

That's why you can (ostensibly) turn off x-forwarded-for in squid.conf.


Ah, but his site is running a script. The internal design of web servers 
often includes mapping TCP level details alongside HTTP headers so they 
can be sent over the very different connection between the server 
process and the script process. Good example is PHP's 
$_SERVER['REMOTE_ADDR'] which lists the IP of the web server receiving 
the traffic. The rest of that array is the HTTP headrs and other 
environment details.
 That is pretty much what X-Forwarded-For is too - just a passing of 
end-users _public_ TCP connection IP (only the IP) through a hierarchy 
to the backend when the original TCP connection is nowhere near that 
backend software.


Amos


Re: [squid-users] x-forwarded-for Fail

2013-10-10 Thread Amos Jeffries

On 11/10/2013 2:44 a.m., merc1...@f-m.fm wrote:

HTML is a different story entirely from HTTP.
Manipuation of HTTP headers on every relay point they cross is mandatory.

Why?



a) Because HTML is a markup language for text documents. HTTP is a 
protocol for software communication.


b) Being a communication protocol headers in HTTP are used for the 
purpose of negotiating features used to deliver messages by each end of 
a particular connection.


Given a proxy chain A <-> B <-> C <-> D. The client connection into a 
proxy (A->B) usually has different features to the outgoing server 
connection (B->C). The HTTP headers need to be changed from negotiating 
(A<->B) mechanisms to (B<->C) mechanisms, things like the message 
encoding or whether .
Some features like the much maligned Via and X-Forwarded-For relay 
information from B through C, so that A<->D mechanisms work - usually 
access control mechanisms for X-Forwarded-For, Via signals min/max 
available HTTP version or presence of non-HTTP protocols that affect 
end-to-end capabilities.


Amos



Re: [squid-users] x-forwarded-for Fail

2013-10-11 Thread merc1984
Thanks Amos, for the good explanation.

So this leads to: I'd like to anonymise my headers to the greatest
extent possible.  Here is my config: https://pastee.org/khgtw

Does anyone have a recommended configuration for best privacy?


-- 
http://www.fastmail.fm - IMAP accessible web-mail



Re: [squid-users] X-Forwarded-For: header

2003-01-29 Thread Tesla 13
1) is it possible to config squid NOT to set this header at all?


I think
header_access X-Forwarded-For deny all
should do.

You can remove it from the source if you feel inclined so. Just do a grep 
-r.

Don't have answers to other questions.

Tesla

_
Help STOP SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail



Re: [squid-users] X-Forwarded-For: header

2003-01-29 Thread Frank Liu

That works! amazing.
I thought "header_access" and "header_replace" only works for
the headers that come from the client. not the ones (like,
X-Forwarded-For) that are set from squid itself. I actually tried
header_replace X-Forwarded-For 1.2.3.4
a few days ago but still got "unknown".

btw, if I set "forwarded_for" to off, shouldn't squid stop sending
the "X-Forwarded-For" header instead of sending a bogus "unknown"?

Frank

On Wed, 29 Jan 2003, Tesla 13 wrote:

> >1) is it possible to config squid NOT to set this header at all?
>
> I think
> header_access X-Forwarded-For deny all
> should do.
>
> You can remove it from the source if you feel inclined so. Just do a grep
> -r.
>
> Don't have answers to other questions.
>
> Tesla
>
> _
> Help STOP SPAM with the new MSN 8 and get 2 months FREE*
> http://join.msn.com/?page=features/junkmail
>
>




Re: [squid-users] X-Forwarded-For: header

2003-01-29 Thread Henrik Nordstrom
Frank Liu wrote:

> 2) is it possible to config quid to send a user defined IP (say
>the IP of the proxy server itself), rather than "unknown" ?

Should be possible to change the header to say whatever you feel like
via header_replace.

> on a related one, is it possible to "insert" an customer HTTP header?

Not without first coding the feature I think.. but maybe header_replace
can be used..

Regards
Henrik



Re: [squid-users] X-Forwarded-For: header

2003-01-29 Thread Frank Liu

On Wed, 29 Jan 2003, Henrik Nordstrom wrote:
> Frank Liu wrote:
>
> > 2) is it possible to config quid to send a user defined IP (say
> >the IP of the proxy server itself), rather than "unknown" ?
>
> Should be possible to change the header to say whatever you feel like
> via header_replace.

I actually tried that a few days ago (see my other post) and it didn't
work, which made me believe "header_replace" would only work for
headers set from the client, not for those headers set by squid itself.

Now I re-read the squid.conf, maybe I have to "header_access" to deny
this header first, before "header_replace" can work???

thanks!
frank

>
> > on a related one, is it possible to "insert" an customer HTTP header?
>
> Not without first coding the feature I think.. but maybe header_replace
> can be used..
>
> Regards
> Henrik
>




Re: [squid-users] X-Forwarded-For: header

2003-01-29 Thread Tesla 13
That works! amazing.
I thought "header_access" and "header_replace" only works for
the headers that come from the client. not the ones (like,
X-Forwarded-For) that are set from squid itself. I actually tried
header_replace X-Forwarded-For 1.2.3.4
a few days ago but still got "unknown".


You probabably forgot to deny it with header_access first.


btw, if I set "forwarded_for" to off, shouldn't squid stop sending
the "X-Forwarded-For" header instead of sending a bogus "unknown"?


I prefer to remove X-Forwarded-For from the source. Sometimes it leaks out 
from my configs and I am too lazy to find out what went wrong.

Tesla

_
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.  
http://join.msn.com/?page=features/virus



Re: [squid-users] X-Forwarded-For: header

2003-01-29 Thread Henrik Nordstrom
Frank Liu wrote:

> I actually tried that a few days ago (see my other post) and it didn't
> work, which made me believe "header_replace" would only work for
> headers set from the client, not for those headers set by squid itself.
> 
> Now I re-read the squid.conf, maybe I have to "header_access" to deny
> this header first, before "header_replace" can work???

Yes.

Regards
Henrik



RE: [squid-users] X-Forwarded-For: unknown

2004-07-12 Thread Elsen Marc

 
> 
> I'm experimenting a problem with a web site because
> X-Forwarded-For is unknown.
> 
> However squid.conf.default shows that X-Forwarded-For is
> on by default.

  I presume this is not changed in the current squid.conf by
setting this parameter to off , for instance ?

> 
> My squid.conf modify only the User-Agent header:
> 
> header_access User-Agent deny all
> header_replace User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US;
> rv:0.9.4) Gecko/20020508 Netscape6/6.2.3
> 
> Could it be a problem?

  Probably not, you can debug the situation further with :

   http://www.showmyip.com

  Look for 'Forwarded'.

  M.


Re: [squid-users] X-Forwarded-For: unknown

2004-07-12 Thread Marco Berizzi
> > However squid.conf.default shows that X-Forwarded-For is
> > on by default.

>   I presume this is not changed in the current squid.conf by
> setting this parameter to off , for instance ?

No, it is not changed.

>  Probably not, you can debug the situation further with :
>
>   http://www.showmyip.com
>
>  Look for 'Forwarded'.

Done: X-Forwarded-For:unknown
I have also tried with http://www.grc.com



RE: [squid-users] X-Forwarded-For: unknown

2004-07-12 Thread Elsen Marc
 
> > > However squid.conf.default shows that X-Forwarded-For is
> > > on by default.
> 
> >   I presume this is not changed in the current squid.conf by
> > setting this parameter to off , for instance ?
> 
> No, it is not changed.
> 
> >  Probably not, you can debug the situation further with :
> >
> >   http://www.showmyip.com
> >
> >  Look for 'Forwarded'.
> 
> Done: X-Forwarded-For:unknown
> I have also tried with http://www.grc.com
> 
> 

   Squid version ?

   M.


Re: [squid-users] X-Forwarded-For: unknown

2004-07-12 Thread Marco Berizzi

>   Squid version ?

Buhh... sorry: 2.5.STABLE6 compiled from source on Slackware 9.1
kernel 2.4.26 gcc 3.2.3 glibc 2.3.2



Re: [squid-users] X-Forwarded-For: unknown

2004-07-12 Thread Marco Berizzi
> > Buhh... sorry: 2.5.STABLE6 compiled from source on Slackware 9.1
> > kernel 2.4.26 gcc 3.2.3 glibc 2.3.2
> >

>  Ok, clueless for the moment,but one sanity check,to proof
> that is related to the header_deny,header_access stuff you use
> in squid.conf :

>   -  if that is not done, is the situation normal again,
> with respect to X-Forwarded-for behavior ?

> If it is, then I have no further clues for the moment, other
> then to report via BUG report.

Opps I'm becoming small small small... found the error: sorry
to everybody.



Re: [squid-users] X-Forwarded-For: unknown

2004-07-25 Thread Henrik Nordstrom
On Mon, 12 Jul 2004, Marco Berizzi wrote:

> I'm experimenting a problem with a web site because
> X-Forwarded-For is unknown.

If the X-Forwarded-For header says "unknown" then you have set 
"forwarded_for off" in squid.conf.

If it is completely missing then you have denied it from header_access.

Regards
Henrik



Re: [squid-users] X-Forwarded-For header

2004-02-04 Thread Henrik Nordstrom
On Tue, 3 Feb 2004, Abdul Khader wrote:

> Hi all,
> I have patched the squid with the X-Forward-For header
> patch.
> But, still no luck. I am still getting 127.0.0.1 in
> access.log.

Is Dansguardian sending a X-Forwarded-For header to Squid?

Have you told Squid to look into the header? (see squid.conf.default 
after installing your patched Squid or the documentation on the 
follow_xff web site).

Regards
Henrik



Re: [squid-users] X-Forwarded-For in squid3.0

2009-06-07 Thread Amos Jeffries
On Sun, 7 Jun 2009 23:02:21 +0800 (CST), "Tech W." 
wrote:
> Hi,
> 
> Does squid-3.0 have X-Forwarded-For enabled built-in?
> Since I don't see that a configure directive in squid.conf.
> 

All squid 3.x have the basic forwarded_for on/off and forwarding additions
working.
3.1 is needed for the more advanced reverse-proxy alterations and
follow_x_forwarded_for operations.

http://www.squid-cache.org/Doc/config/forwarded_for/
(NP: ignore the "2.3 Removed Directives" heading, the page generation seems
to be a bit broken. Thats part of the 2.6 release notes that should not be
there.)


Amos



Re: [squid-users] X-Forwarded-For and cache_peer_access

2013-07-16 Thread Amos Jeffries

On 16/07/2013 7:31 a.m., Michael Graham wrote:

Hi all,

I'm having a problem getting squid to select the upstream proxy based on
the source address set in the X-Forwarded-For header.

Here is the appropriate lines from my squid.conf:

follow_x_forwarded_for allow all


You should never have "allow all" here even for just testing.
What "allow all" means for that directive is to completely trust 
anything sent by any client and use the farthest back IP address found. 
Not very useful for testing whether your one-hop-away software is 
relaying you accurate details.


What you need to do is limit this to only permit trusting the IP 
addresses of the upstream proxy which is supposed to be setting the XFF 
header.




acl forwardTrafficSubnet1 src 172.21.120.0/24
cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query
cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1
never_direct deny forwardTrafficSubnet1
cache_peer_access 172.21.120.24 allow all
never_direct allow all

(I'm only using allow all for testing I promise!)

But I am always getting forwarded to the parent peer even when I am
coming from a machine on forwardTrafficSubnet1.

As anyone has any success with this?



Does the X-Forwarded-For header actually contain an IP from the 
172.21.120.0/24 subnet (and not some IPv6 address from that subnets IPv6 
ranges).


Also, re-check this after fixing the follow_x_forwarded_for trust ACLs. 
That may be affecting the results.


Amos


Re: [squid-users] X-Forwarded-For and cache_peer_access

2013-07-16 Thread Michael Graham
On Tue, 2013-07-16 at 23:30 +1200, Amos Jeffries wrote:
> Does the X-Forwarded-For header actually contain an IP from the 
> 172.21.120.0/24 subnet (and not some IPv6 address from that subnets
> IPv6 ranges).

Yeah it seems to be:

GET http://www.google.com/ HTTP/1.1
Accept: */*
Host: www.google.com
User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7
OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
Via: 1.1 cake-icap (squid/3.3.6)
X-Forwarded-For: 172.21.120.23
Cache-Control: max-age=259200
Connection: keep-alive

> Also, re-check this after fixing the follow_x_forwarded_for trust
> ACLs. That may be affecting the results. 

I've went back to the original lines:

acl localsrc src 127.0.0.1
follow_x_forwarded_for allow localsrc

Here is the output from debug_options ALL,1 17,9 28,9 when I make a
request:

2013/07/16 14:27:53.773 kid1| Acl.cc(345) matches: ACLList::matches:
checking forwardTrafficSubnet1
2013/07/16 14:27:53.773 kid1| Acl.cc(326) checklistMatches:
ACL::checklistMatches: checking 'forwardTrafficSubnet1'
2013/07/16 14:27:53.773 kid1| Ip.cc(134) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
172.21.120.23/[:::::::ff00] (172.21.120.0)
vs 172.21.120.0-[::]/[:::::::ff00]
2013/07/16 14:27:53.773 kid1| Ip.cc(560) match: aclIpMatchIp:
'172.21.120.23' found
2013/07/16 14:27:53.773 kid1| Acl.cc(328) checklistMatches:
ACL::ChecklistMatches: result for 'forwardTrafficSubnet1' is 1
2013/07/16 14:27:53.773 kid1| Acl.cc(349) matches: forwardTrafficSubnet1
matched.
2013/07/16 14:27:53.773 kid1| Acl.cc(363) matches: forwardTrafficSubnet1
result is true
2013/07/16 14:27:53.773 kid1| Checklist.cc(275) matchNode: 0x1d8afd8
matched=1 async=0 finished=0
2013/07/16 14:27:53.773 kid1| Checklist.cc(260) matchNodes: 0x1d8afd8
success: all ACLs matched
2013/07/16 14:27:53.773 kid1| Checklist.cc(146) markFinished: 0x1d8afd8
answer DENIED for first matching rule won
2013/07/16 14:27:53.773 kid1| Checklist.cc(88) matchNonBlocking:
ACLChecklist::check: 0x1d8afd8 match found, calling back with DENIED

I don't know why is says that the rule matched but that it is returning
DENIED.

Cheers,
-- 
Michael Graham 




Re: [squid-users] X-Forwarded-For and cache_peer_access

2013-07-17 Thread Michael Graham
On Tue, 2013-07-16 at 09:31 -0400, Michael Graham wrote:
> On Tue, 2013-07-16 at 23:30 +1200, Amos Jeffries wrote:
> > Does the X-Forwarded-For header actually contain an IP from the 
> > 172.21.120.0/24 subnet (and not some IPv6 address from that subnets
> > IPv6 ranges).
> 
> Yeah it seems to be:
> 
> GET http://www.google.com/ HTTP/1.1
> Accept: */*
> Host: www.google.com
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7
> OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Via: 1.1 cake-icap (squid/3.3.6)
> X-Forwarded-For: 172.21.120.23
> Cache-Control: max-age=259200
> Connection: keep-alive
> 
> > Also, re-check this after fixing the follow_x_forwarded_for trust
> > ACLs. That may be affecting the results. 
> 
> I've went back to the original lines:
> 
> acl localsrc src 127.0.0.1
> follow_x_forwarded_for allow localsrc
> 
> Here is the output from debug_options ALL,1 17,9 28,9 when I make a
> request:
> 
> 2013/07/16 14:27:53.773 kid1| Acl.cc(345) matches: ACLList::matches:
> checking forwardTrafficSubnet1
> 2013/07/16 14:27:53.773 kid1| Acl.cc(326) checklistMatches:
> ACL::checklistMatches: checking 'forwardTrafficSubnet1'
> 2013/07/16 14:27:53.773 kid1| Ip.cc(134) aclIpAddrNetworkCompare:
> aclIpAddrNetworkCompare: compare:
> 172.21.120.23/[:::::::ff00] (172.21.120.0)
> vs 172.21.120.0-[::]/[:::::::ff00]
> 2013/07/16 14:27:53.773 kid1| Ip.cc(560) match: aclIpMatchIp:
> '172.21.120.23' found
> 2013/07/16 14:27:53.773 kid1| Acl.cc(328) checklistMatches:
> ACL::ChecklistMatches: result for 'forwardTrafficSubnet1' is 1
> 2013/07/16 14:27:53.773 kid1| Acl.cc(349) matches: forwardTrafficSubnet1
> matched.
> 2013/07/16 14:27:53.773 kid1| Acl.cc(363) matches: forwardTrafficSubnet1
> result is true
> 2013/07/16 14:27:53.773 kid1| Checklist.cc(275) matchNode: 0x1d8afd8
> matched=1 async=0 finished=0
> 2013/07/16 14:27:53.773 kid1| Checklist.cc(260) matchNodes: 0x1d8afd8
> success: all ACLs matched
> 2013/07/16 14:27:53.773 kid1| Checklist.cc(146) markFinished: 0x1d8afd8
> answer DENIED for first matching rule won
> 2013/07/16 14:27:53.773 kid1| Checklist.cc(88) matchNonBlocking:
> ACLChecklist::check: 0x1d8afd8 match found, calling back with DENIED
> 
> I don't know why is says that the rule matched but that it is returning
> DENIED.
> 
> Cheers,

Hi again,

I wonder if anyone has any ideas on this one, at the moment this just
doesn't seem to work.

Cheers,
-- 
Michael Graham 




RE: [squid-users] x-forwarded-for patch (again)

2005-10-16 Thread Lucia Di Occhi
I don't see anything with regard to the x-forward-patch being included in 
STABLE12.  The diff file does not mention anything either.  Is this a distro 
specific thing?




From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
To: squid-users@squid-cache.org
Subject: [squid-users] x-forwarded-for patch (again)
Date: Sun, 16 Oct 2005 21:31:40 +

After following some instrucions on this list I downloaded 
squid-2.5.STABLE9 and patched with the x_forwarded_for patch and nothing 
works.


here is a summary of what I did:

downloaded and untarred STABLE9

Stefano (the squid package maintainer for squid) graciously provided me the 
./configure statement he uses to build the slackware package and Ive 
enclosed that ./configure line below for reference.


./configure --bindir=/usr/sbin --sysconfdir=/etc/squid
--datadir=/etc/squid --libexecdir=/usr/libexec/squid
--localstatedir=/var/log/squid --enable-removal-policies="lru heap"
--enable-auth="basic ntlm digest" --enable-basic-auth-helpers="NCSA MSNT 
SMB winbind YP" --enable-digest-auth-helpers=password
--enable-external-acl-helpers="ip_user unix_group wbinfo_group 
winbind_group" --enable-ntlm-auth-helpers="SMB winbind"
--enable-async-io --with-pthreads --with-aio --enable-storeio="ufs null 
aufs coss" --enable-delay-pools --enable-snmp --enable-ssl --enable-icmp

--enable-cache-digests --disable-wccp --disable-http-violations
--disable-ident-lookups --enable-useragent-log --enable-arp-acl
--prefix=/usr

(please excuse the wordwrap)

STABLE9 configure works fine, and so does make all (I didnt make install)

I patched the source with x_forwarded_for patch and manually applied the 2 
failed hunks src/structs.h


as instructed I ran ./bootstrap.sh and I get this output and error message:

WARNING: Cannot find automake version 1.5
Trying automake (GNU automake) 1.9.5
WARNING: Cannot find autoconf version 2.13
Trying autoconf (GNU Autoconf) 2.59
acinclude.m4:10: warning: underquoted definition of AC_CHECK_SIZEOF_SYSTYPE
 run info '(automake)Extending aclocal'
 or see http://sources.redhat.com/automake/automake.html#Extending-aclocal
acinclude.m4:49: warning: underquoted definition of AC_CHECK_SYSTYPE
/usr/share/aclocal/pkg.m4:5: warning: underquoted definition of 
PKG_CHECK_MODULES
/usr/share/aclocal/libIDL.m4:6: warning: underquoted definition of 
AM_PATH_LIBIDL
/usr/share/aclocal/imlib.m4:9: warning: underquoted definition of 
AM_PATH_IMLIB
/usr/share/aclocal/imlib.m4:167: warning: underquoted definition of 
AM_PATH_GDK_IMLIB

/usr/share/aclocal/gtk.m4:7: warning: underquoted definition of AM_PATH_GTK
/usr/share/aclocal/glib.m4:8: warning: underquoted definition of 
AM_PATH_GLIB
/usr/share/aclocal/gdk-pixbuf.m4:12: warning: underquoted definition of 
AM_PATH_GDK_PIXBUF
/usr/share/aclocal/audiofile.m4:12: warning: underquoted definition of 
AM_PATH_AUDIOFILE
/usr/share/aclocal/aalib.m4:12: warning: underquoted definition of 
AM_PATH_AALIB
/usr/share/aclocal/ORBit.m4:4: warning: underquoted definition of 
AM_PATH_ORBIT

configure.in:1455: warning: AC_CHECK_TYPE: assuming `u_short' is not a type
autoconf/types.m4:234: AC_CHECK_TYPE is expanded from...
configure.in:1455: the top level
autoheader: WARNING: Using auxiliary files such as `acconfig.h', 
`config.h.bot'
autoheader: WARNING: and `config.h.top', to define templates for 
`config.h.in'

autoheader: WARNING: is deprecated and discouraged.
autoheader:
autoheader: WARNING: Using the third argument of `AC_DEFINE' and
autoheader: WARNING: `AC_DEFINE_UNQUOTED' allows to define a template 
without

autoheader: WARNING: `acconfig.h':
autoheader:
autoheader: WARNING:   AC_DEFINE([NEED_FUNC_MAIN], 1,
autoheader: [Define if a function `main' is needed.])
autoheader:
autoheader: WARNING: More sophisticated templates can also be produced, see 
the

autoheader: WARNING: documentation.
configure.in:1455: warning: AC_CHECK_TYPE: assuming `u_short' is not a type
autoconf/types.m4:234: AC_CHECK_TYPE is expanded from...
configure.in:1455: the top level
configure.in:1455: warning: AC_CHECK_TYPE: assuming `u_short' is not a type
autoconf/types.m4:234: AC_CHECK_TYPE is expanded from...
configure.in:1455: the top level
configure.in:1455: warning: AC_CHECK_TYPE: assuming `u_short' is not a type
autoconf/types.m4:234: AC_CHECK_TYPE is expanded from...
configure.in:1455: the top level
configure.in:2214: error: do not use LIBOBJS directly, use AC_LIBOBJ (see 
section `AC_LIBOBJ vs LIBOBJS'

 If this token and others are legitimate, please use m4_pattern_allow.
 See the Autoconf documentation.
autoconf failed
Autotool bootstrapping failed. You will need to investigate and correct
before you can develop on this source tree

As you can see the bootstrap of the new patch fails

if I run /bootstrap.sh again then the output is the same as above but 
somehow the last sentence about the failure is gone, and all seems to have 
worked.


however if you try to make all you are going to get a make warning stating 
that the linux_netfil

Re: [squid-users] x-forwarded-for patch (again)

2005-10-16 Thread Henrik Nordstrom

On Sun, 16 Oct 2005, [EMAIL PROTECTED] wrote:


as instructed I ran ./bootstrap.sh and I get this output and error message:

WARNING: Cannot find automake version 1.5
Trying automake (GNU automake) 1.9.5
WARNING: Cannot find autoconf version 2.13
Trying autoconf (GNU Autoconf) 2.59


You need to fix this before continuing. Squid-2.5 requires the above 
autotool versions.


Regards
Henrik


RE: [squid-users] x-forwarded-for patch (again)

2005-10-16 Thread [EMAIL PROTECTED]

Quoting Lucia Di Occhi <[EMAIL PROTECTED]>:

I don't see anything with regard to the x-forward-patch being 
included in STABLE12.  The diff file does not mention anything 
either.  Is this a distro specific thing?




Lucia:

Squid has several enhancement options that may or may not fit any 
particular user, and most (if not all) of them are hosted on a 
dedicated squid projects page that used to be at squid.sourceforge.net


using any one of these enhancements to squid may provide additional 
functionality that the main squid package is lacking.


check it out.

Rance



RE: [squid-users] x-forwarded-for patch (again)

2005-10-16 Thread Henrik Nordstrom



On Sun, 16 Oct 2005, Lucia Di Occhi wrote:

I don't see anything with regard to the x-forward-patch being included in 
STABLE12.


It's not.

The diff file does not mention anything either.  Is this a distro 
specific thing?


What is talked about is the "Follow X-Forwarded-For headers" patch 
available from devel.squid-cache.org.


The author of this patch kindly provided a Squid-2.5 version some years 
back, but it has not been maintained for more current Squid-2.5 versions 
(last patch update was 2003/11/23) and manual editing is now required to 
apply the patch to the current Squid releases.


Regards
Henrik


RE: [squid-users] x-forwarded-for patch (again)

2005-10-16 Thread Henrik Nordstrom

On Sun, 16 Oct 2005, [EMAIL PROTECTED] wrote:

Squid has several enhancement options that may or may not fit any particular 
user, and most (if not all) of them are hosted on a dedicated squid projects 
page that used to be at squid.sourceforge.net


Uset to? That page is very much still there.. but nowdays perhaps more 
commonly known as devel.squid-cache.org.


Regards
Henrik


Re: [squid-users] X-Forwarded-For header cleanup

2004-11-17 Thread Bin Liu
Yep,  I think I'm in the same situation.

I think it's better that when we set  "forwarded_for off" in
squid.conf, we should never see "X-Forwarded-For: Unknown." when there
is no X-Forwarded-For previously, and squid will not add  "unknown" 
when we already have one.


On Wed, 17 Nov 2004 10:12:38 +0100, Janno de Wit <[EMAIL PROTECTED]> wrote:
> Hi folks,
> 
> My Squid always modifies the X-Forwarded-For header with the client-IP.
> I'm now in a situation I want to keep the X-Forwarded-For header as it
> is..
> As far as i see it's only possible to disable the X-forwarded-for
> header, which will result the header as:
> X-Forwarded-For: Unknown.
> 
> At this time, I have already a X-Forwarded-For header. My final header
> as Squid will send out is:
> 
> X-Forwarded-For: , 
> 
> I want Squid to keep the header for what it is, thus:
> input:
> X-Forwarded-For: 
> ouput:
> X-Forwarded-For: 
> 
> Is this possible?
> 
> Thanks, Janno.
>


Re: [squid-users] X-Forwarded-For and Squid 3.0

2008-11-17 Thread Amos Jeffries

Silamael wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello!

Are there any plans to implement the X-Forwarded-For feature in Squid3?
We had to use Squid3 due to some ICAP project stuff and we will need the
X-Forwarded-For feature for some other stuff too...



Yes. It is already done and in Squid 3.1.

We've had a fair number of annoyances found with the 3.1.0.2 packages 
not including everything they needed for the new code. One more in 
todays snapshot. So for testing I'd advise starting with the 20081118 
snapshot.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
  Current Beta Squid 3.1.0.2


Re: [squid-users] X-Forwarded-For and Squid 3.0

2008-11-17 Thread Silamael
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Amos Jeffries wrote:
> Yes. It is already done and in Squid 3.1.
> 
> We've had a fair number of annoyances found with the 3.1.0.2 packages
> not including everything they needed for the new code. One more in
> todays snapshot. So for testing I'd advise starting with the 20081118
> snapshot.
> 
> Amos

Thank you for the quick reply. So probabely we will upgrade to 3.1 then.

- -- Matthias
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJIWl8GgHcOSur6dQRAuKHAKDKj3uM7HUnKm2p4yJUJGco65jd1ACfZCVJ
SpPG1GK3rWcIyCD4H17wMow=
=D5p7
-END PGP SIGNATURE-


Re: [squid-users] X-Forwarded-For in Squid3 STABLE1

2008-03-27 Thread Henrik Nordstrom
On Wed, 2008-03-26 at 11:24 -0300, c0re dumped wrote:
> Hello,
> 
> Is there a new x-forwarded-for patch to be used on squid3 ?

http://devel.squid-cache.org/projects.html#follow_xff

but it hasn't been updated in quite some time.. (years) and probably
doesn't work too well with current squid3...

> In my opinion such a good feature must be added to the squid base
> code.

Then consider sponsoring adding this feature to Squid-3. Several of the
Squid developers happily accept sponsored work.

Or at minimum file a request in bugzilla to have this forward-ported to
Squid-3 if there isn't one already.

http://www.squid-cache.org/bugs/

Regards
Henrik



Re: [squid-users] x-forwarded-for patch install problem

2005-03-09 Thread Henrik Nordstrom

On Wed, 9 Mar 2005, saravanan ganapathy wrote:
Hai
When I tried to apply follow_xff-2.5.patch on
squid-2.5.STABLE9 , I am getting the following error
patching file src/structs.h
Hunk #1 FAILED at 592.
Hunk #2 succeeded at 634 (offset 16 lines).
Hunk #3 succeeded at 1619 (offset 7 lines).
Hunk #4 succeeded at 1679 (offset 16 lines).
Hunk #5 FAILED at 1692.
2 out of 5 hunks FAILED -- saving rejects to file
src/structs.h.rej
How to solve this problem?
Hand edit the files, adding the changes patch could not automatically 
figure out what to do with (failed/rejected).

Regards
Henrik


Re: [squid-users] x-forwarded-for patch install problem

2005-03-09 Thread saravanan ganapathy

--- Henrik Nordstrom <[EMAIL PROTECTED]> wrote:
> 
> 
> On Wed, 9 Mar 2005, saravanan ganapathy wrote:
> 
> > Hai
> >
> > When I tried to apply follow_xff-2.5.patch on
> > squid-2.5.STABLE9 , I am getting the following
> error
> >
> > patching file src/structs.h
> > Hunk #1 FAILED at 592.
> > Hunk #2 succeeded at 634 (offset 16 lines).
> > Hunk #3 succeeded at 1619 (offset 7 lines).
> > Hunk #4 succeeded at 1679 (offset 16 lines).
> > Hunk #5 FAILED at 1692.
> > 2 out of 5 hunks FAILED -- saving rejects to file
> > src/structs.h.rej
> >
> > How to solve this problem?
> 
> Hand edit the files, adding the changes patch could
> not automatically 
> figure out what to do with (failed/rejected).
>

What are the files to be edited? What are all the
changes to be done? 

Can u pls help me on this?

Sarav 

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


Re: [squid-users] x-forwarded-for patch install problem

2005-03-10 Thread Henrik Nordstrom

On Wed, 9 Mar 2005, saravanan ganapathy wrote:
Hand edit the files, adding the changes patch could
not automatically
figure out what to do with (failed/rejected).
What are the files to be edited? What are all the
changes to be done?
See the output of the patch command. There is two filenames mentioned...
   patching file src/structs.h
   2 out of 5 hunks FAILED -- saving rejects to file src/structs.h.rej
Regards
Henrik


Re: [squid-users] x-forwarded-for patch install problem

2005-03-10 Thread saravanan ganapathy

--- Henrik Nordstrom <[EMAIL PROTECTED]> wrote:
> 
> 
> On Wed, 9 Mar 2005, saravanan ganapathy wrote:
> 
> >> Hand edit the files, adding the changes patch
> could
> >> not automatically
> >> figure out what to do with (failed/rejected).
> >>
> >
> > What are the files to be edited? What are all the
> > changes to be done?
> 
> See the output of the patch command. There is two
> filenames mentioned...
> 
> patching file src/structs.h
> 2 out of 5 hunks FAILED -- saving rejects to
> file src/structs.h.rej
>

Really I don't know what to be changed in
src/structs.h & src/structs.h.rej

Pls help me 

Sarav



__ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 


Re: [squid-users] x-forwarded-for patch install problem

2005-03-11 Thread saravanan ganapathy

--- saravanan ganapathy <[EMAIL PROTECTED]> wrote:
> 
> --- Henrik Nordstrom <[EMAIL PROTECTED]> wrote:
> > 
> > 
> > On Wed, 9 Mar 2005, saravanan ganapathy wrote:
> > 
> > >> Hand edit the files, adding the changes patch
> > could
> > >> not automatically
> > >> figure out what to do with (failed/rejected).
> > >>
> > >
> > > What are the files to be edited? What are all
> the
> > > changes to be done?
> > 
> > See the output of the patch command. There is two
> > filenames mentioned...
> > 
> > patching file src/structs.h
> > 2 out of 5 hunks FAILED -- saving rejects to
> > file src/structs.h.rej
> >
> 
> Really I don't know what to be changed in
> src/structs.h & src/structs.h.rej
> 
> Pls help me 
> 
> Sarav

I tried to find the docs in the net,but couldn't.

Hope some of you already did this configuration. Can
you pls help me?

Sarav 



__ 
Do you Yahoo!? 
Take Yahoo! Mail with you! Get it on your mobile phone. 
http://mobile.yahoo.com/maildemo 


Re: [squid-users] x-forwarded-for patch install problem

2005-03-11 Thread Henrik Nordstrom
On Fri, 11 Mar 2005, saravanan ganapathy wrote:
Really I don't know what to be changed in
src/structs.h & src/structs.h.rej
Pls help me
Sarav
I tried to find the docs in the net,but couldn't.
The .rej file shows what should be changed in the file.
Regards
Henrik


Re: [squid-users] X-Forwarded-For Header and Rewriter

2006-06-06 Thread Chris Robertson

[EMAIL PROTECTED] wrote:


Hi,

does anybody know if it is possible to access the X-Forwarded-Header inside of 
a rewriter script (squid used as reverse proxy). AFAIK, there is only the 
ip-address of the requesting server available which may be the ip of another 
cache-server.

Background: We have another external cache server that queries our squids and 
we want to pass the client ip to an external script which makes decisions about 
the client ip: e.g. redirection to a special url if certain ips are there.
I know that it is easy to trick the x-forwarded-header to fake ips, but 
nevertheless.

if I use something like external_acl %SRC with an external script I can only 
say:OK or ERR, i.e. access or not. But I want to give the client different urls 
back depending on its ip.

Or is there any other possibility to make such decisions (with the 
x-forwarded-for header information) outside the redirect script?

thx in advance,
max
 

http://devel.squid-cache.org/projects.html#follow_xff might be just what 
you are looking for.  Be aware that development patches are not 
supported and may set your hair on fire.  Also, be aware:


This patch changes the "configure.in" file, which is an input to 
"autoconf". You must run "bootstrap.sh" after applying this patch, and 
that will run "autoconf" for you. "autoconf" will generate a new 
"configure" script, which will have the new 
"--enable-follow-x-forwarded-for" option.


Chris


Re: [squid-users] X-Forwarded-For Header and Rewriter

2006-06-06 Thread Henrik Nordstrom
tis 2006-06-06 klockan 13:26 -0800 skrev Chris Robertson:

> http://devel.squid-cache.org/projects.html#follow_xff might be just what 
> you are looking for.  Be aware that development patches are not 
> supported and may set your hair on fire. 

This patch has been included in the upcoming 2.6 release. You are
welcome to try out the 2.6 pre-release if you like to investigate this.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel


Re: [squid-users] X-Forwarded-For + Squid Version 3.0.STABLE8

2011-02-20 Thread Amos Jeffries

On Mon, 21 Feb 2011 12:16:46 +1300 (NZDT), Pieter De Wit wrote:

Hi Guys,

I run a reverse proxy for a client. They are using XFF for
restricting certain content to IP.

We have noted that the following doesn't "appear" to work as it 
should:


header_replace X-Forwarded-For allow all

My understanding is that this will cause squid to replace the XFF
header with it's own "client IP" ?


No this will replace the content of X-Forwarded-For with the text 
"allow all".


BUT, only if there is a corresponding "request_header_access 
X-Forwarded-For deny" line (or reply_header_access).


FWIW there was a documentation bug for a while indicating that Squid 
would add its *own* IP to XFF.
  Squid will never do that. Only the remote visitors/client IP is added 
to XFF.




I see there is various answers about this on the internet so I would
like to know which one applies to this setup.



In 3.0 you can use the header access denial + replace to strip out the 
existing header and add any desired forgery.


In 3.1+ you can use "forwarded_for truncate" to erase a prior history 
trace and perform what you describe in a much cleaner way. This is not 
usually a good idea and only useful to paper around broken web app 
security vulnerabilities.




Here is some more details on the proxy chain:

client -> proxy1 -> proxy2 -> origin web server

Proxy 1 should replace the XFF header no matter what, so that if
"client" is behind a proxy, it doesn't matter.


Well, truncate will do that, BUT using an origin server app which only 
pulls the *newest* IP off the list will be much better. And will protect 
against malicious forgery attacks as well.




Proxy 2 should just pass the header as per normal, it doesn't matter
if it adds an IP to the header.

I am looking at replacing these boxes with Debian 6 boxes over the
next week or so, but would really like to nail this one now :)


Then you will have access to 3.1.6+ with the above mentioned 
forwarded_for extensions.


In this setup in order to pass the client IP to the origin I would 
advise using this config:


proxy 1:
  - nothing special. It will add the real client IP to X-Forwarded-For: 
header.
  - you MAY use "forwarded_for truncate" here to explicitly erase any 
past garbage. But see above.


proxy 2:
  forwarded_for transparent

 - this will mean proxy 2 preserves the client IP proxy1 added as 
latest on the list, by not mentioning proxy1
 - BE CAREFUL that the only way requests can reach proxy2 is via 
proxy1.


origin:
 - trust proxy 2 as provider of X-Forwarded-For and grab the latest 
client from the XFF which it hands over.


Amos



Re: [squid-users] X-Forwarded-For + Squid Version 3.0.STABLE8

2011-02-20 Thread Pieter De Wit

Hi Amos,

Thanks for the reply - I remember seeing the doc bug :)

I am building the Deb6 boxes as we speak (ext4+squid 3.1 is sounding very 
nice)


Cheers,

Pieter

On Mon, 21 Feb 2011, Amos Jeffries wrote:


On Mon, 21 Feb 2011 12:16:46 +1300 (NZDT), Pieter De Wit wrote:

Hi Guys,

I run a reverse proxy for a client. They are using XFF for
restricting certain content to IP.

We have noted that the following doesn't "appear" to work as it should:

header_replace X-Forwarded-For allow all

My understanding is that this will cause squid to replace the XFF
header with it's own "client IP" ?


No this will replace the content of X-Forwarded-For with the text "allow 
all".


BUT, only if there is a corresponding "request_header_access X-Forwarded-For 
deny" line (or reply_header_access).


FWIW there was a documentation bug for a while indicating that Squid would 
add its *own* IP to XFF.
 Squid will never do that. Only the remote visitors/client IP is added to 
XFF.




I see there is various answers about this on the internet so I would
like to know which one applies to this setup.



In 3.0 you can use the header access denial + replace to strip out the 
existing header and add any desired forgery.


In 3.1+ you can use "forwarded_for truncate" to erase a prior history trace 
and perform what you describe in a much cleaner way. This is not usually a 
good idea and only useful to paper around broken web app security 
vulnerabilities.




Here is some more details on the proxy chain:

client -> proxy1 -> proxy2 -> origin web server

Proxy 1 should replace the XFF header no matter what, so that if
"client" is behind a proxy, it doesn't matter.


Well, truncate will do that, BUT using an origin server app which only pulls 
the *newest* IP off the list will be much better. And will protect against 
malicious forgery attacks as well.




Proxy 2 should just pass the header as per normal, it doesn't matter
if it adds an IP to the header.

I am looking at replacing these boxes with Debian 6 boxes over the
next week or so, but would really like to nail this one now :)


Then you will have access to 3.1.6+ with the above mentioned forwarded_for 
extensions.


In this setup in order to pass the client IP to the origin I would advise 
using this config:


proxy 1:
 - nothing special. It will add the real client IP to X-Forwarded-For: 
header.
 - you MAY use "forwarded_for truncate" here to explicitly erase any past 
garbage. But see above.


proxy 2:
 forwarded_for transparent

- this will mean proxy 2 preserves the client IP proxy1 added as latest on 
the list, by not mentioning proxy1

- BE CAREFUL that the only way requests can reach proxy2 is via proxy1.

origin:
- trust proxy 2 as provider of X-Forwarded-For and grab the latest client 
from the XFF which it hands over.


Amos




Re: [squid-users] X-Forwarded-For + Squid Version 3.0.STABLE8

2011-02-20 Thread Pieter De Wit

Hi Amos,

just had a go at this:

request_header_access X-Forwarded-For deny
header_replace X-Forwarded-For

and it's still passing XFF from another source thru - Nothing to urgent 
since the Deb6 boxes are getting built :) But if you spot something ?


Cheers,

Pieter



Re: [squid-users] X-Forwarded-For + Squid Version 3.0.STABLE8

2011-02-20 Thread Amos Jeffries

On 21/02/11 16:33, Pieter De Wit wrote:

Hi Amos,

just had a go at this:

request_header_access X-Forwarded-For deny
header_replace X-Forwarded-For

and it's still passing XFF from another source thru - Nothing to urgent
since the Deb6 boxes are getting built :) But if you spot something ?


Just a typo missing "all" after the "deny ".

and no value to hard-code into the header on the replace line.

This one is tricky to use since you have to hard-code the value passed 
back, it wont contain the real client IP you want.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.11
  Beta testers wanted for 3.2.0.5


Re: [squid-users] X-Forwarded-For + Squid Version 3.0.STABLE8

2011-02-20 Thread Pieter De Wit

On 21/02/2011 18:16, Amos Jeffries wrote:

On 21/02/11 16:33, Pieter De Wit wrote:

Hi Amos,

just had a go at this:

request_header_access X-Forwarded-For deny
header_replace X-Forwarded-For

and it's still passing XFF from another source thru - Nothing to urgent
since the Deb6 boxes are getting built :) But if you spot something ?


Just a typo missing "all" after the "deny ".

and no value to hard-code into the header on the replace line.

This one is tricky to use since you have to hard-code the value passed 
back, it wont contain the real client IP you want.


Amos
Yeah, not quite what we are after so squid 3.1.6 will have to do the 
trick :)


Thanks for the time !

Pieter


Re: [squid-users] x-forwarded-for patch for squid-2.5.Stable11

2005-10-14 Thread saravanan ganapathy
> > I am posting this on both dansguardian and squid
> > lists so that it can help 
> > anyone with the x-forwarded-for patch.
> > 
> > Download squid-2.5.STABLE9.tar.gz and
> > follow_xff-2.5.STABLE5.patch on /tmp
> > Extract the squid tar file with: tar xvfz
> > squid-2.5.STABLE9.tar.gz
> > copy follow_xff-2.5.STABLE5.patch to
> > /tmp/squid-2.5.STABLE9
> > cd to /tmp/squid-2.5.STABLE9 and execute: patch
> -p0
> > < 
> > follow_xff-2.5.STABLE5.patch
> > 
> > you should get the following errors:
> > 
> > FedoraCore2[/tmp/squid-2.5.STABLE9]patch -p0 <
> > follow_xff-2.5.STABLE5.patch
> > patching file acconfig.h
> > patching file bootstrap.sh
> > Hunk #1 succeeded at 66 (offset 7 lines).
> > patching file configure.in
> > Hunk #1 succeeded at 1128 (offset 28 lines).
> > patching file src/acl.c
> > Hunk #1 succeeded at 2147 (offset 107 lines).
> > patching file src/cf.data.pre
> > Hunk #1 succeeded at 2144 (offset 29 lines).
> > patching file src/client_side.c
> > Hunk #2 succeeded at 185 (offset 2 lines).
> > Hunk #4 succeeded at 3308 (offset 58 lines).
> > patching file src/delay_pools.c
> > patching file src/structs.h
> > Hunk #1 FAILED at 594.
> > Hunk #2 succeeded at 634 (offset 14 lines).
> > Hunk #3 succeeded at 1621 (offset 2 lines).
> > Hunk #4 succeeded at 1684 (offset 14 lines).
> > Hunk #5 FAILED at 1697.
> > 2 out of 5 hunks FAILED -- saving rejects to file
> > src/structs.h.rej
> > 
> > This means that two hunks (parts) of the patch
> > failed to patch src/structs.h 
> > at around lines 594 and 1697.  Now look at the
> > src/structs.h.rej which 
> > should look like this:
> > 
> > ***
> > *** 594,599 
> > int pipeline_prefetch;
> > int request_entities;
> > int detect_broken_server_pconns;
> >   } onoff;
> >   acl *aclList;
> >   struct {
> > --- 594,604 
> > int pipeline_prefetch;
> > int request_entities;
> > int detect_broken_server_pconns;
> > + #if FOLLOW_X_FORWARDED_FOR
> > +int acl_uses_indirect_client;
> > +int delay_pool_uses_indirect_client;
> > +int log_uses_indirect_client;
> > + #endif /* FOLLOW_X_FORWARDED_FOR */
> >   } onoff;
> >   acl *aclList;
> >   struct {
> > ***
> > *** 1681,1686 
> >   char *peer_login; /* Configured peer
> > login:password */
> >   time_t lastmod;   /* Used on
> refreshes
> > */
> >   const char *vary_headers; /* Used when
> varying
> > entities are detected. 
> > Chan
> > ges how the store key is calculated */
> >   };
> > 
> >   struct _cachemgr_passwd {
> > --- 1697,1707 
> >   char *peer_login; /* Configured peer
> > login:password */
> >   time_t lastmod;   /* Used on
> refreshes
> > */
> >   const char *vary_headers; /* Used when
> varying
> > entities are detected. 
> > Chan
> > ges how the store key is calculated */
> > + #if FOLLOW_X_FORWARDED_FOR
> > + /* XXX a list of IP addresses would be a
> > better data structure
> > +  * than this String */
> > + String x_forwarded_for_iterator;
> > + #endif /* FOLLOW_X_FORWARDED_FOR */
> >   };
> > 
> >   struct _cachemgr_passwd {
> > 
> > As you can see the patch has found some 'issues'
> on
> > line 594 where it was 
> > expecting something that it did not find.  No
> > problem, just open 
> > src/structs.h with 'vi' and go to line 594 and
> > locate the line:
> > 
> > int detect_broken_server_pconns;
> > 
> > which should be somewhere around there.
> > now insert the following as described by the .rej
> > file (remove the + which 
> > means ADD)
> > 
> > #if FOLLOW_X_FORWARDED_FOR
> > int acl_uses_indirect_client;
> > int delay_pool_uses_indirect_client;
> > int log_uses_indirect_client;
> > #endif /* FOLLOW_X_FORWARDED_FOR */
> > 
> > so around line 594 you should now have:
> > 
> > int detect_broken_server_pconns;
> > #if FOLLOW_X_FORWARDED_FOR
> > int acl_uses_indirect_client;
> > int delay_pool_uses_indirect_client;
> > int log_uses_indirect_client;
> > #endif /* FOLLOW_X_FORWARDED_FOR */
> > int balance_on_multiple_ip;
> > int relaxed_header_parser;
> > int accel_uses_host_header;
> > int accel_no_pmtu_disc;
> > } onoff;
> > acl *aclList;
> > 
> > OK, let's now go to line 1697 (more or less since
> we
> > have just added a few 
> > lines around 594)
> > locate the line:
> > 
> > const char *vary_headers; /* Used when varying
> > entities are detected. Chan 
> > ges how the store key is calculated */
> > 
> > which should be somewhere around there.
> > now insert the following as described by the .rej
> > file (remove the + which 
> > means ADD)
> > 
> > #if FOLLOW_X_FORWARDED_FOR
> >  /* XXX a list of IP addresses would be a
> better
> > data structure
> >   * than this String */
> >  String x_forwarded_for_iterator;
> > #endif /* FOLLOW_X_FORWARDED_FOR */
> > 
> > so around line 1697 you 

Re: [squid-users] x-forwarded-for patch for squid-2.5.Stable11

2005-10-14 Thread saravanan ganapathy

> > > Download squid-2.5.STABLE9.tar.gz and
> > > follow_xff-2.5.STABLE5.patch on /tmp
> > > Extract the squid tar file with: tar xvfz
> > > squid-2.5.STABLE9.tar.gz
> > > copy follow_xff-2.5.STABLE5.patch to
> > > /tmp/squid-2.5.STABLE9
> > > cd to /tmp/squid-2.5.STABLE9 and execute: patch
> > -p0
> > > < 
> > > follow_xff-2.5.STABLE5.patch
> > > 
> > > you should get the following errors:
> > > 
> > > FedoraCore2[/tmp/squid-2.5.STABLE9]patch -p0 <
> > > follow_xff-2.5.STABLE5.patch
> > > patching file acconfig.h
> > > patching file bootstrap.sh
> > > Hunk #1 succeeded at 66 (offset 7 lines).
> > > patching file configure.in
> > > Hunk #1 succeeded at 1128 (offset 28 lines).
> > > patching file src/acl.c
> > > Hunk #1 succeeded at 2147 (offset 107 lines).
> > > patching file src/cf.data.pre
> > > Hunk #1 succeeded at 2144 (offset 29 lines).
> > > patching file src/client_side.c
> > > Hunk #2 succeeded at 185 (offset 2 lines).
> > > Hunk #4 succeeded at 3308 (offset 58 lines).
> > > patching file src/delay_pools.c
> > > patching file src/structs.h
> > > Hunk #1 FAILED at 594.
> > > Hunk #2 succeeded at 634 (offset 14 lines).
> > > Hunk #3 succeeded at 1621 (offset 2 lines).
> > > Hunk #4 succeeded at 1684 (offset 14 lines).
> > > Hunk #5 FAILED at 1697.
> > > 2 out of 5 hunks FAILED -- saving rejects to
> file
> > > src/structs.h.rej
> > > 
> > > This means that two hunks (parts) of the patch
> > > failed to patch src/structs.h 
> > > at around lines 594 and 1697.  Now look at the
> > > src/structs.h.rej which 
> > > should look like this:
> > > 
> > > ***
> > > *** 594,599 
> > > int pipeline_prefetch;
> > > int request_entities;
> > > int detect_broken_server_pconns;
> > >   } onoff;
> > >   acl *aclList;
> > >   struct {
> > > --- 594,604 
> > > int pipeline_prefetch;
> > > int request_entities;
> > > int detect_broken_server_pconns;
> > > + #if FOLLOW_X_FORWARDED_FOR
> > > +int acl_uses_indirect_client;
> > > +int delay_pool_uses_indirect_client;
> > > +int log_uses_indirect_client;
> > > + #endif /* FOLLOW_X_FORWARDED_FOR */
> > >   } onoff;
> > >   acl *aclList;
> > >   struct {
> > > ***
> > > *** 1681,1686 
> > >   char *peer_login; /* Configured
> peer
> > > login:password */
> > >   time_t lastmod;   /* Used on
> > refreshes
> > > */
> > >   const char *vary_headers; /* Used when
> > varying
> > > entities are detected. 
> > > Chan
> > > ges how the store key is calculated */
> > >   };
> > > 
> > >   struct _cachemgr_passwd {
> > > --- 1697,1707 
> > >   char *peer_login; /* Configured
> peer
> > > login:password */
> > >   time_t lastmod;   /* Used on
> > refreshes
> > > */
> > >   const char *vary_headers; /* Used when
> > varying
> > > entities are detected. 
> > > Chan
> > > ges how the store key is calculated */
> > > + #if FOLLOW_X_FORWARDED_FOR
> > > + /* XXX a list of IP addresses would be a
> > > better data structure
> > > +  * than this String */
> > > + String x_forwarded_for_iterator;
> > > + #endif /* FOLLOW_X_FORWARDED_FOR */
> > >   };
> > > 
> > >   struct _cachemgr_passwd {
> > > 
> > > As you can see the patch has found some 'issues'
> > on
> > > line 594 where it was 
> > > expecting something that it did not find.  No
> > > problem, just open 
> > > src/structs.h with 'vi' and go to line 594 and
> > > locate the line:
> > > 
> > > int detect_broken_server_pconns;
> > > 
> > > which should be somewhere around there.
> > > now insert the following as described by the
> .rej
> > > file (remove the + which 
> > > means ADD)
> > > 
> > > #if FOLLOW_X_FORWARDED_FOR
> > > int acl_uses_indirect_client;
> > > int delay_pool_uses_indirect_client;
> > > int log_uses_indirect_client;
> > > #endif /* FOLLOW_X_FORWARDED_FOR */
> > > 
> > > so around line 594 you should now have:
> > > 
> > > int detect_broken_server_pconns;
> > > #if FOLLOW_X_FORWARDED_FOR
> > > int acl_uses_indirect_client;
> > > int delay_pool_uses_indirect_client;
> > > int log_uses_indirect_client;
> > > #endif /* FOLLOW_X_FORWARDED_FOR */
> > > int balance_on_multiple_ip;
> > > int relaxed_header_parser;
> > > int accel_uses_host_header;
> > > int accel_no_pmtu_disc;
> > > } onoff;
> > > acl *aclList;
> > > 
> > > OK, let's now go to line 1697 (more or less
> since
> > we
> > > have just added a few 
> > > lines around 594)
> > > locate the line:
> > > 
> > > const char *vary_headers; /* Used when varying
> > > entities are detected. Chan 
> > > ges how the store key is calculated */
> > > 
> > > which should be somewhere around there.
> > > now insert the following as described by the
> .rej
> > > file (remove the + which 
> > > means ADD)
> > > 
> > > #if FOLLOW_X_FORWARDED_FOR
> > >  /* XXX a list of IP addresses w

Re: [squid-users] x-forwarded-for patch for squid-2.5.Stable11

2005-10-14 Thread Kenneth Oncinian
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sarav,

Same here, until stable10, i can apply the rejects manually, but it
doesnt work with stable11 anymore.


regards,
Kenneth

>
>
> Anybody got success this patch with squid-2.5.STABLE11? Pls help
> me.
>
> Sarav
>
>
>
>
> __ Yahoo! Mail - PC Magazine
> Editors' Choice 2005 http://mail.yahoo.com



- --

Kenneth P. Oncinian
Network Administrator
Panasonic Communications Philippines Corporation
Information Systems Division - Network and Systems Group
- --
PGP Public Key: http://m.1asphost.com/koncinian/koncinian.gnupg.key
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.7 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDUIzZ9MTaiXoaMBgRAsjEAJ9FVpxvxMyQvC90jk0cB0hbSUeCYQCfUAlA
Ztu1QK9MuS+GAIG5rQJmITU=
=dHY0
-END PGP SIGNATURE-



[squid-users] [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!

2013-08-09 Thread Michael Graham
Hi all,

I've had a look at this issue and I believe I have found the problem.
Just to recap I have:

follow_x_forwarded_for allow localhost
acl forwardTrafficSubnet1 src 172.21.120.0/24
cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query
cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1
never_direct deny forwardTrafficSubnet1
cache_peer_access 172.21.120.24 allow all
never_direct allow all

In the squid.conf but all traffic forwarded for 172.21.120.0/24
addresses get sent to the upstream proxy.

I found that this patch resolves the issue:

=== modified file 'src/neighbors.cc'
--- src/neighbors.cc2013-06-07 04:35:25 +
+++ src/neighbors.cc2013-08-09 15:25:57 +
@@ -204,7 +204,11 @@
 return do_ping;
 
 ACLFilledChecklist checklist(p->access, request, NULL);
+#ifdef FOLLOW_X_FORWARDED_FOR
+checklist.src_addr = request->indirect_client_addr;
+#else
 checklist.src_addr = request->client_addr;
+#endif
 checklist.my_addr = request->my_addr;
 
 return (checklist.fastCheck() == ACCESS_ALLOWED);

Cheers,
-- 
Michael Graham 




[squid-users] Re: [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!

2013-08-09 Thread babajaga
Back to original squid.conf:

Instead of
follow_x_forwarded_for allow localhost
acl forwardTrafficSubnet1 src 172.21.120.0/24
cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query
cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1
never_direct deny forwardTrafficSubnet1
cache_peer_access 172.21.120.24 allow all
never_direct allow all 

I would use 

follow_x_forwarded_for allow localhost
acl forwardTrafficSubnet1 src 172.21.120.0/24
cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query
cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1
always_direct allow forwardTrafficSubnet1
#never_direct deny forwardTrafficSubnet1 Looks like double negation: NOT
Never-DIRECT
cache_peer_access 172.21.120.24 allow all
never_direct allow all 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/X-Forwarded-For-and-cache-peer-access-tp4661082p4661506.html
Sent from the Squid - Users mailing list archive at Nabble.com.


Re: [squid-users] [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!

2013-08-09 Thread Amos Jeffries

On 10/08/2013 3:42 a.m., Michael Graham wrote:

Hi all,

I've had a look at this issue and I believe I have found the problem.
Just to recap I have:

follow_x_forwarded_for allow localhost
acl forwardTrafficSubnet1 src 172.21.120.0/24
cache_peer 172.21.120.24 parent 8881 0 proxy-only no-query
cache_peer_access 172.21.120.24 deny forwardTrafficSubnet1
never_direct deny forwardTrafficSubnet1
cache_peer_access 172.21.120.24 allow all
never_direct allow all

In the squid.conf but all traffic forwarded for 172.21.120.0/24
addresses get sent to the upstream proxy.

I found that this patch resolves the issue:

=== modified file 'src/neighbors.cc'
--- src/neighbors.cc2013-06-07 04:35:25 +
+++ src/neighbors.cc2013-08-09 15:25:57 +
@@ -204,7 +204,11 @@
  return do_ping;
  
  ACLFilledChecklist checklist(p->access, request, NULL);

+#ifdef FOLLOW_X_FORWARDED_FOR
+checklist.src_addr = request->indirect_client_addr;
+#else
  checklist.src_addr = request->client_addr;
+#endif
  checklist.my_addr = request->my_addr;
  
  return (checklist.fastCheck() == ACCESS_ALLOWED);


Cheers,


Er. What Squid version are you using?

The checklist() constructor pulls those details out of the request 
object itself in the current Squid versions.


And the correct patch is to add:

#if FOLLOW_X_FORWARDED_FOR
if (Config.onoff.acl_uses_indirect_client)
src_addr = request->indirect_client_addr;
else
#endif /* FOLLOW_X_FORWARDED_FOR */
src_addr = request->client_addr;

Amos


Re: [squid-users] [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!

2013-08-12 Thread Michael Graham
On Sat, 2013-08-10 at 14:27 +1200, Amos Jeffries wrote:
> Er. What Squid version are you using?
> 
> The checklist() constructor pulls those details out of the request 
> object itself in the current Squid versions.

The patch I provided was from trunk in the bazaar repo, but I'm actually
running squid 3.3.6 (with the 2 recent security patches added) both of
which set the checklist.src_addr after calling checklist().

> And the correct patch is to add:
> 
> #if FOLLOW_X_FORWARDED_FOR
>  if (Config.onoff.acl_uses_indirect_client)
>  src_addr = request->indirect_client_addr;
>  else
> #endif /* FOLLOW_X_FORWARDED_FOR */
>  src_addr = request->client_addr;
> 
> Amos

Thanks, I'll update the patch I am using.

-- 
Michael Graham 




[squid-users] Re: [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!

2013-08-23 Thread David Isaacs
Amos,

I've also come across what Michael identified. This is actually a bug,
right? The checklist() constructor initialises checklist.src_addr correctly
based on acl_uses_indirect_client but it is then overridden with the
request's "true" client_addr by the calling function. 

I filed it as #3895
http://bugs.squid-cache.org/show_bug.cgi?id=3895






--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/X-Forwarded-For-and-cache-peer-access-tp4661082p4661752.html
Sent from the Squid - Users mailing list archive at Nabble.com.


Re: [squid-users] Re: [patch] Re: [squid-users] X-Forwarded-For and cache_peer_access -- Fixed!

2013-08-23 Thread Amos Jeffries

On 24/08/2013 5:50 p.m., David Isaacs wrote:

Amos,

I've also come across what Michael identified. This is actually a bug,
right? The checklist() constructor initialises checklist.src_addr correctly
based on acl_uses_indirect_client but it is then overridden with the
request's "true" client_addr by the calling function.

I filed it as #3895
http://bugs.squid-cache.org/show_bug.cgi?id=3895


And applied. It should be in the next releases at the end of this month.

Amos