Eduardo Maia wrote:
> Hello,
>
> I'm testing squid-3.1.0.15 on a mandriva 2009 clone 64 bits. It seems
> the squid can not see the "X-Forwarded-For" header correctly.
>
> All logs have the correct IP (x-forwarded), but the function
> authenticateAuthUserAddIp doesn't see the forwarded IP:
>
> /var/log/squid/cache.log:
> 2010/01/12 16:18:38.468| authenticateAuthUserAddIp: user 'administrator'
> has been seen at a new IP address (127.0.0.1:4917)
>
> On log file /var/log/squid/access.log all lines have the correct IP
> instance of 127.0.0.1
>
>
> The authenticateAuthUserAddIp it's used by authenticate_ip_ttl config
>
> authenticate_ip_ttl 2 hours
> acl maxuser max_user_ip -s 1
> http_access deny maxuser
>
>
>
> because the proxy will have authentication and the users cannot be
> logged in two machines at same time.
>
>
> The configuration it's:
>
> Dansguardian (port 8080) -> Squid (port 3128)
>
> I enabled the forwardedfor on Dansguardian
>
> If i connect direct to the squid i have:
> 2010/01/12 13:24:56.056| authenticateAuthUserAddIp: user 'administrator'
> has been seen at a new IP address (172.31.3.25:3609)
>
>
> [root_at_demo squid]# squid -v
> Squid Cache: Version 3.1.0.15
> configure options: '--build=x86_64-caixamagica-linux-gnu'
> '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/sbin'
> '--sbindir=/usr/sbin' '--sysconfdir=/etc/squid' '--datadir=/usr/share'
> '--includedir=/usr/include' '--libdir=/usr/lib64'
> '--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
> '--sharedstatedir=/usr/com' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info' '--x-includes=/usr/include'
> '--x-libraries=/usr/lib64' '--enable-shared=yes' '--enable-static=no'
> '--enable-xmalloc-statistics' '--enable-carp' '--enable-async-io'
> '--enable-storeio=aufs,diskd,ufs'
> '--enable-disk-io=AIO,Blocking,DiskDaemon,DiskThreads'
> '--enable-removal-policies=heap,lru' '--enable-icmp'
> '--enable-delay-pools' '--disable-esi' '--enable-icap-client'
> '--enable-useragent-log' '--enable-referer-log' '--enable-wccp'
> '--enable-wccpv2' '--disable-kill-parent-hack' '--enable-snmp'
> '--enable-cachemgr-hostname=localhost' '--enable-arp-acl'
> '--with-logdir=/home/aprna/rpmbuild/BUILDROOT/squid-3.1.0.15-1.1xcm14.x86_64/var/log/squid'
> '--enable-htcp' '--enable-ssl' '--enable-forw-via-db'
> '--enable-cache-digests' '--disable-poll' '--enable-epoll'
> '--enable-linux-netfilter' '--disable-ident-lookups'
> '--enable-default-hostsfile=/etc/hosts'
> '--enable-auth=basic,digest,negotiate,ntlm'
> '--enable-basic-auth-helpers=getpwnam,LDAP,MSNT,multi-domain-NTLM,NCSA,PAM,SMB,YP,SASL,POP3,DB,squid_radius_auth'
> '--enable-ntlm-auth-helpers=fakeauth,no_check,smb_lm'
> '--enable-digest-auth-helpers=password,ldap,eDirectory'
> '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
> '--with-default-user=squid' '--with-pthreads' '--with-dl'
> '--with-openssl=/usr' '--with-large-files'
> '--with-build-environment=default' '--with-filedescriptors=8192'
> 'build_alias=x86_64-caixamagica-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wformat
> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all
> -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64' 'LDFLAGS= -Wl,--as-needed
> -Wl,--no-undefined -Wl,-z,relro' 'CPPFLAGS=-I/usr/include/openssl '
> 'CXXFLAGS=-O2 -g -pipe -Wformat -Werror=format-security
> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
> --param=ssp-buffer-size=4 -fstack-protector-all -D_LARGEFILE64_SOURCE
> -D_FILE_OFFSET_BITS=64'
> --with-squid=/home/aprna/rpmbuild/BUILD/squid-3.1.0.15
> --enable-ltdl-convenience
> [root_at_demo squid]#
>
>
> If you want more information, please let me know.
>
>
> Thank you.
>
> Best regards,
> Eduardo Maia
>
Thank you for this information.
Do you have any follow_x_forwarded_for configuration lines configured?
if so could you please list them and the ACL definitions used.
I'm aware of several problems with follow-x-forwarded-for feature and
planning to work in them in the coming weeks.
If it's not fixed with 3.1.0.16 give me a poke.
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 Current Beta Squid 3.1.0.15Received on Tue Jan 12 2010 - 22:17:02 MST
This archive was generated by hypermail 2.2.0 : Wed Jan 13 2010 - 12:00:05 MST