On 22/04/11 02:08, jeffrey j donovan wrote:
Greetings,

I have a a transparent squid in a private net with a 1-1 NAT, Im
trying to get a good understanding of what my clients look like to
the outside. What is the Default setting " for forwarded_for" if my
system is running intercept?

"forwarded_for on" is the default for all modes. The client IP *as seen by Squid* is added to the header.

to my understanding if I leave the
X-Forwarded-For header my natted clients ip will be the visible
requestor ?

Whatever the client IP making the request was will be noted as the original requestor. The internal "private" IP ranges have no meaning to external viewers. They simply indicate that there was a NAT step.

in the past did we strip that out or is it something new?

Nothing has changed in Squid. Maybe your config or something outside Squid was playing with it.

is there a way to have the final request return the global NAT ip of
the client ?

There is no such global IP for the client, at least for port 80. The client never touches the Internet when intercepted into Squid. This is one of the few benefits of interception.

Squid box is the only public TCP/IP address touching the Internet.

currently squid  seems to be the final, i think. can
someone clarify this option for me, thanks -j

192.168.1.2 --->  192.168.1.1[ squid]10.10.10.1 -- 10.10.10.2 [ IP
NAT ] -- GLOBAL


Correct.


forwarded_for New setting options. transparent, truncate, delete.

If set to "transparent", Squid will not alter the X-Forwarded-For
header in any way.

If set to "delete", Squid will delete the entire X-Forwarded-For
header.

If set to "truncate", Squid will remove all existing X-Forwarded-For
entries, and place itself as the sole entry.


... as you cut-n-pasted from the documentation, that is what it does.

The "place itself as the sole entry" was incorrect. Fixed in recent releases to be "place the client IP as the sole entry"


Going back to your initial goal "get a good understanding of what my clients look like to the outside"...

The "outside" all sees Squid global IP connecting to them and making requests. For smart web services that attempt to use advanced transfer features they see the Via: header indicating the client and Squid capabilities so nothing breaks halfway back. For smart security systems that attempt IP-based security (the ones that do it well anyway) they see the X-Forwarded-For header with a group of identifiers that can be combined to classify different end clients apart.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.7 and 3.1.12.1

Reply via email to