Dayo Adewunmi wrote:
Hi

How do I use `follow_x_forwarded_for` to allow X-Forwarded-For header for all IP's in my LAN 192.168.0.0/21. They all go through the squid proxy, 192.168.0.1.
Thanks

Dayo


Consider: Are 192.168.0.0/21 all proxies which you trust not to forge the header?


follow_x_forwarded_for is for chained proxies to define a "zone" of proxies which it trusts to create XFF headers properly. It then decodes the XFF header and uses the IP which connected to the outermost trusted proxy.

For example:
ISP runs a cluster of public facing proxies (2,3,4,5,...) and a cluster of private caches (x,y,z). A common setup for load balanced proxies.

 Client "C" has their own private LAN proxy A.

Now when C connectes to the Internet the connection relay chain looks like this:

 C -> A -> (2 or 3) -> Z -> Internet



The ISP caching proxy Z can use this:

  acl isp src 2 3 4 5 ... X Y Z
  follow_x_forwarded_for allow isp
  follow_x_forwarded_for deny all


... to decode XFF header skipping the entry for (2 or 3) and determine that as far as the ISP is concerned A is the client connecting in.

The IP of A is what then gets logged and ACL tested at Z instead of the IP for 2,3,4,5 etc. which for Z will always be the ones doing direct TCP links in.

It's a bit of safety to prevent ISP situations like this falling for spoofed XFF headers. For example if the client was using "1" to forging XFF claiming "C" IP was the same as "2". Which might be allowed unlimited access.


If you only have one proxy or one layer, ie you are the "A" here. Then you do not need to bother with follow_x_forwarded_for at all.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.1

Reply via email to