From owner-freebsd-net Tue Dec 11 18:25: 2 2001 Delivered-To: freebsd-net@freebsd.org Received: from radius.ok-connect.com (radius.wavefire.com [139.142.95.252]) by hub.freebsd.org (Postfix) with SMTP id A904637B405 for ; Tue, 11 Dec 2001 18:24:58 -0800 (PST) Received: (qmail 14942 invoked from network); 12 Dec 2001 02:36:09 -0000 Received: from ccliii.caniserv.com (HELO dbitech) (139.142.95.253) by radius.wavefire.com with SMTP; 12 Dec 2001 02:36:09 -0000 Message-Id: <3.0.32.20011211182606.024ed180@mail.ok-connect.com> X-Sender: darcyb@mail.ok-connect.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 11 Dec 2001 18:26:07 -0800 To: Kelly Yancey , Tom Peck From: Darcy Buskermolen Subject: RE: 1 IP - 1 Firewall - 2 Webservers Cc: freebsd-net@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You can configure your cache server to send an X-header with the originateing IP, and then use that.. At 06:18 PM 12/11/01 -0800, Kelly Yancey wrote: >On Wed, 12 Dec 2001, Tom Peck wrote: > >> Hi Julian >> >> Yes, we currently have Squid serving this purpose - but as I stated in my >> first email, ALL incoming Client IP's and Addresses are always that of the >> GATEWAY_BOX - so for website security and logs, this isn't the best >> option.. I have yet to try Apache, but I have heard it acts in the same >> way - can someone clarify this? >> >> Thanks >> >> Tom >> > > I have to apologize, I deleted the original post, but as I recall you have >the actual forwarding working dandy. The only concern, which everyone has >failed to address, is that you want the NAT'ed web servers to know the >originating IP address for logging and IP-based security. Obviously, the >reason you don't have this now is that the originating request is intercepted >by squid on your gateway machine and then issueing a request to one of the >internel web servers using it's "inside" IP address on the originator's >behalf. You web server only ever sees the proxy's IP address. > The question, then, is how to communicate the originaters IP address to the >web server. I haven't answered previously because I'm no squid expert, but >here is the solution that comes to my head: > > You could hack squid (assuming it doesn't have a knob to do it already) to >include the originating IP address as a HTTP header in the proxied >request. Then, modify your apps on the web server fetch the IP address from >this header (i.e. via environment variable) as opposed to using the value the >web server populates REMOTE_HOST with. However, the IP address in web server >logs will still be that of the proxy unless you teach the web server to >extract the IP from the new header. > Of course, if you have the source to your web server (i.e. apache) then you >could teach it to populate REMOTE_HOST with the IP address obtained from the >squid-supplied header also and have it be transparent to your apps. > > All the said, you would have to take extra precautions in squid to not allow >remote clients to supply the header themselves (i.e. to replace the header if >it exists and add it if it doesn't), but this should be pretty >straightforward. > > I hope that answers your question (assuming I am remembering it correctly >:) ). Good luck! > > Kelly > >-- >Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-net" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message