Date: Tue, 11 Dec 2001 18:26:07 -0800 From: Darcy Buskermolen <darcy@ok-connect.com> To: Kelly Yancey <kbyanc@posi.net>, Tom Peck <tom@masaclaw.co.nz> Cc: freebsd-net@FreeBSD.ORG Subject: RE: 1 IP - 1 Firewall - 2 Webservers Message-ID: <3.0.32.20011211182606.024ed180@mail.ok-connect.com>
next in thread | raw e-mail | index | archive | help
You can configure your cache server to send an X-header with the
originateing IP, and then use that..
At 06:18 PM 12/11/01 -0800, Kelly Yancey wrote:
>On Wed, 12 Dec 2001, Tom Peck wrote:
>
>> Hi Julian
>>
>> Yes, we currently have Squid serving this purpose - but as I stated in my
>> first email, ALL incoming Client IP's and Addresses are always that of the
>> GATEWAY_BOX - so for website security and logs, this isn't the best
>> option.. I have yet to try Apache, but I have heard it acts in the same
>> way - can someone clarify this?
>>
>> Thanks
>>
>> Tom
>>
>
> I have to apologize, I deleted the original post, but as I recall you have
>the actual forwarding working dandy. The only concern, which everyone has
>failed to address, is that you want the NAT'ed web servers to know the
>originating IP address for logging and IP-based security. Obviously, the
>reason you don't have this now is that the originating request is intercepted
>by squid on your gateway machine and then issueing a request to one of the
>internel web servers using it's "inside" IP address on the originator's
>behalf. You web server only ever sees the proxy's IP address.
> The question, then, is how to communicate the originaters IP address to the
>web server. I haven't answered previously because I'm no squid expert, but
>here is the solution that comes to my head:
>
> You could hack squid (assuming it doesn't have a knob to do it already) to
>include the originating IP address as a HTTP header in the proxied
>request. Then, modify your apps on the web server fetch the IP address from
>this header (i.e. via environment variable) as opposed to using the value the
>web server populates REMOTE_HOST with. However, the IP address in web server
>logs will still be that of the proxy unless you teach the web server to
>extract the IP from the new header.
> Of course, if you have the source to your web server (i.e. apache) then you
>could teach it to populate REMOTE_HOST with the IP address obtained from the
>squid-supplied header also and have it be transparent to your apps.
>
> All the said, you would have to take extra precautions in squid to not
allow
>remote clients to supply the header themselves (i.e. to replace the header if
>it exists and add it if it doesn't), but this should be pretty
>straightforward.
>
> I hope that answers your question (assuming I am remembering it correctly
>:) ). Good luck!
>
> Kelly
>
>--
>Kelly Yancey - kbyanc@{posi.net,FreeBSD.org}
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-net" in the body of the message
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.20011211182606.024ed180>