Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 11 Dec 2001 18:18:59 -0800 (PST)
From:      Kelly Yancey <kbyanc@posi.net>
To:        Tom Peck <tom@masaclaw.co.nz>
Cc:        Julian Elischer <julian@elischer.org>, freebsd-net@FreeBSD.ORG
Subject:   RE: 1 IP - 1 Firewall - 2 Webservers
Message-ID:  <Pine.BSF.4.21.0112111805160.30401-100000@gateway.posi.net>
In-Reply-To: <5.1.0.14.2.20011212123256.02871e50@mail.masaclaw.co.nz>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 12 Dec 2001, Tom Peck wrote:

> Hi Julian
> 
> Yes, we currently have Squid serving this purpose - but as I stated in my 
> first email, ALL incoming Client IP's and Addresses are always that of the 
> GATEWAY_BOX - so for website security and logs, this isn't the best 
> option..  I have yet to try Apache, but I have heard it acts in the same 
> way - can someone clarify this?
> 
> Thanks
> 
> Tom
> 

  I have to apologize, I deleted the original post, but as I recall you have
the actual forwarding working dandy. The only concern, which everyone has
failed to address, is that you want the NAT'ed web servers to know the
originating IP address for logging and IP-based security. Obviously, the
reason you don't have this now is that the originating request is intercepted
by squid on your gateway machine and then issueing a request to one of the
internel web servers using it's "inside" IP address on the originator's
behalf. You web server only ever sees the proxy's IP address.
  The question, then, is how to communicate the originaters IP address to the
web server. I haven't answered previously because I'm no squid expert, but
here is the solution that comes to my head:

  You could hack squid (assuming it doesn't have a knob to do it already) to
include the originating IP address as a HTTP header in the proxied
request. Then, modify your apps on the web server fetch the IP address from
this header (i.e. via environment variable) as opposed to using the value the
web server populates REMOTE_HOST with. However, the IP address in web server
logs will still be that of the proxy unless you teach the web server to
extract the IP from the new header.
  Of course, if you have the source to your web server (i.e. apache) then you
could teach it to populate REMOTE_HOST with the IP address obtained from the
squid-supplied header also and have it be transparent to your apps.

  All the said, you would have to take extra precautions in squid to not allow
remote clients to supply the header themselves (i.e. to replace the header if
it exists and add it if it doesn't), but this should be pretty
straightforward.

  I hope that answers your question (assuming I am remembering it correctly
:) ). Good luck!

  Kelly

--
Kelly Yancey  -  kbyanc@{posi.net,FreeBSD.org}


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0112111805160.30401-100000>