Re: [squid-users] connection limit and X-Forwarded-For IP

Mon, 12 Apr 2010 05:25:40 -0700 

Mario Remy Almeida wrote:

Hi All,
Recently I configure Squid as reverse proxy for back-end apache server running Drupal. 

acl airarabia_web dstdomain www.airarabia.com
cache_peer 10.4.171.6 parent 80 0 no-query originserver name=airarabia_peer2 round-robin forceddomain=www.airarabia.com default # cache_peer 10.4.171.7 parent 80 0 no-query originserver name=airarabia_peer1 round-robin forceddomain=www.airarabia.com default # not yet implemented 
cache_peer_access airarabia_peer2 allow airarabia_web
cache_peer_access airarabia_peer2 deny all

Problem 1:-
With Apache I had connection Limit of 20 per IP (mod_limitipconn.so)

I need to achieve this with squid reverse proxy.
please let me know if below configurations is correct.
You should not really need this with Squid. FD in Squid are very lightweight and do not block whole threads like they do in Apache. 



===========================
acl connectionLimit maxconn 20


Missing:

  http_access deny connectionLimit


acl airarabia_web dstdomain www.airarabia.com
cache_peer 10.4.171.6 parent 80 0 no-query originserver name=airarabia_peer2 round-robin forceddomain=www.airarabia.com default 
cache_peer_access airarabia_peer2 allow airarabia_web connectionLimit


The above will cause denial if LESS than 20 connections are made.
Seems strange until you consider that connectionLimit is only true when >20 connections are present from a single IP. Which will cause the following line to happen: 


cache_peer_access airarabia_peer2 deny all
===========================

Problem 2:-
After configuring reverse proxy, The apache back-end server gets the IP of the reverse proxy and not of the actual clients. 

Your problem description describes the config:

  forwarded_for on




                   squid.conf
===========================
follow_x_forwarded_for allow airarabia_web
follow_x_forwarded_for deny all
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on
===========================
I will work on HOW TO for mod_extract_forwarded, but mean time if someone can verify if the above squid.conf for problem 2 is correct?
It does not match your problem description. It configures Squid to log and run ACL tests based on the remote client IP outside your trusted edge. Useful only for hierarchies and clusters of proxies who need to ignore the internal relay chain in their security tests. 

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.1

Reply via email to