From owner-freebsd-net Tue Dec 11 18:36:36 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 4C8DA37B405 for ; Tue, 11 Dec 2001 18:36:32 -0800 (PST) Received: from attbi.com ([127.0.0.1]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011212023632.MKP1691.rwcrmhc52.attbi.com@attbi.com>; Wed, 12 Dec 2001 02:36:32 +0000 Received: from gateway.posi.net (12-236-90-177.client.attbi.com[12.236.90.177]) by attbi.com (rwcrmhc52) with ESMTP id <200112120236310520013u1fe>; Wed, 12 Dec 2001 02:36:31 +0000 Received: from localhost (kbyanc@localhost) by gateway.posi.net (8.11.6/8.11.6) with ESMTP id fBC2aU130473; Tue, 11 Dec 2001 18:36:30 -0800 (PST) (envelope-from kbyanc@posi.net) X-Authentication-Warning: gateway.posi.net: kbyanc owned process doing -bs Date: Tue, 11 Dec 2001 18:36:30 -0800 (PST) From: Kelly Yancey To: Tom Peck Cc: Julian Elischer , freebsd-net@FreeBSD.ORG Subject: RE: 1 IP - 1 Firewall - 2 Webservers In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A quick search of google revealed that there is an apache module for this specific purpose: http://web.systhug.com/mod_extract_forwarded/. So, if you are using apache, this appears to do everything you need on the web-server side. You might want to also look at the squid FAQ: http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.17 Kelly -- Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} On Tue, 11 Dec 2001, Kelly Yancey wrote: > On Wed, 12 Dec 2001, Tom Peck wrote: > > > Hi Julian > > > > Yes, we currently have Squid serving this purpose - but as I stated in my > > first email, ALL incoming Client IP's and Addresses are always that of the > > GATEWAY_BOX - so for website security and logs, this isn't the best > > option.. I have yet to try Apache, but I have heard it acts in the same > > way - can someone clarify this? > > > > Thanks > > > > Tom > > > > I have to apologize, I deleted the original post, but as I recall you have > the actual forwarding working dandy. The only concern, which everyone has > failed to address, is that you want the NAT'ed web servers to know the > originating IP address for logging and IP-based security. Obviously, the > reason you don't have this now is that the originating request is intercepted > by squid on your gateway machine and then issueing a request to one of the > internel web servers using it's "inside" IP address on the originator's > behalf. You web server only ever sees the proxy's IP address. > The question, then, is how to communicate the originaters IP address to the > web server. I haven't answered previously because I'm no squid expert, but > here is the solution that comes to my head: > > You could hack squid (assuming it doesn't have a knob to do it already) to > include the originating IP address as a HTTP header in the proxied > request. Then, modify your apps on the web server fetch the IP address from > this header (i.e. via environment variable) as opposed to using the value the > web server populates REMOTE_HOST with. However, the IP address in web server > logs will still be that of the proxy unless you teach the web server to > extract the IP from the new header. > Of course, if you have the source to your web server (i.e. apache) then you > could teach it to populate REMOTE_HOST with the IP address obtained from the > squid-supplied header also and have it be transparent to your apps. > > All the said, you would have to take extra precautions in squid to not allow > remote clients to supply the header themselves (i.e. to replace the header if > it exists and add it if it doesn't), but this should be pretty > straightforward. > > I hope that answers your question (assuming I am remembering it correctly > :) ). Good luck! > > Kelly > > -- > Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message