Date: Tue, 11 Dec 2001 18:36:30 -0800 (PST) From: Kelly Yancey <kbyanc@posi.net> To: Tom Peck <tom@masaclaw.co.nz> Cc: Julian Elischer <julian@elischer.org>, freebsd-net@FreeBSD.ORG Subject: RE: 1 IP - 1 Firewall - 2 Webservers Message-ID: <Pine.BSF.4.21.0112111828030.30401-100000@gateway.posi.net> In-Reply-To: <Pine.BSF.4.21.0112111805160.30401-100000@gateway.posi.net>
next in thread | previous in thread | raw e-mail | index | archive | help
A quick search of google revealed that there is an apache module for this specific purpose: http://web.systhug.com/mod_extract_forwarded/. So, if you are using apache, this appears to do everything you need on the web-server side. You might want to also look at the squid FAQ: http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.17 Kelly -- Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} On Tue, 11 Dec 2001, Kelly Yancey wrote: > On Wed, 12 Dec 2001, Tom Peck wrote: > > > Hi Julian > > > > Yes, we currently have Squid serving this purpose - but as I stated in my > > first email, ALL incoming Client IP's and Addresses are always that of the > > GATEWAY_BOX - so for website security and logs, this isn't the best > > option.. I have yet to try Apache, but I have heard it acts in the same > > way - can someone clarify this? > > > > Thanks > > > > Tom > > > > I have to apologize, I deleted the original post, but as I recall you have > the actual forwarding working dandy. The only concern, which everyone has > failed to address, is that you want the NAT'ed web servers to know the > originating IP address for logging and IP-based security. Obviously, the > reason you don't have this now is that the originating request is intercepted > by squid on your gateway machine and then issueing a request to one of the > internel web servers using it's "inside" IP address on the originator's > behalf. You web server only ever sees the proxy's IP address. > The question, then, is how to communicate the originaters IP address to the > web server. I haven't answered previously because I'm no squid expert, but > here is the solution that comes to my head: > > You could hack squid (assuming it doesn't have a knob to do it already) to > include the originating IP address as a HTTP header in the proxied > request. Then, modify your apps on the web server fetch the IP address from > this header (i.e. via environment variable) as opposed to using the value the > web server populates REMOTE_HOST with. However, the IP address in web server > logs will still be that of the proxy unless you teach the web server to > extract the IP from the new header. > Of course, if you have the source to your web server (i.e. apache) then you > could teach it to populate REMOTE_HOST with the IP address obtained from the > squid-supplied header also and have it be transparent to your apps. > > All the said, you would have to take extra precautions in squid to not allow > remote clients to supply the header themselves (i.e. to replace the header if > it exists and add it if it doesn't), but this should be pretty > straightforward. > > I hope that answers your question (assuming I am remembering it correctly > :) ). Good luck! > > Kelly > > -- > Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0112111828030.30401-100000>