From owner-freebsd-net Tue Dec 11 18:19:14 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 770CE37B405 for ; Tue, 11 Dec 2001 18:19:09 -0800 (PST) Received: from gateway.posi.net ([12.236.90.177]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011212021909.FHVA8889.rwcrmhc53.attbi.com@gateway.posi.net>; Wed, 12 Dec 2001 02:19:09 +0000 Received: from localhost (kbyanc@localhost) by gateway.posi.net (8.11.6/8.11.6) with ESMTP id fBC2J0830434; Tue, 11 Dec 2001 18:19:00 -0800 (PST) (envelope-from kbyanc@posi.net) X-Authentication-Warning: gateway.posi.net: kbyanc owned process doing -bs Date: Tue, 11 Dec 2001 18:18:59 -0800 (PST) From: Kelly Yancey To: Tom Peck Cc: Julian Elischer , freebsd-net@FreeBSD.ORG Subject: RE: 1 IP - 1 Firewall - 2 Webservers In-Reply-To: <5.1.0.14.2.20011212123256.02871e50@mail.masaclaw.co.nz> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 12 Dec 2001, Tom Peck wrote: > Hi Julian > > Yes, we currently have Squid serving this purpose - but as I stated in my > first email, ALL incoming Client IP's and Addresses are always that of the > GATEWAY_BOX - so for website security and logs, this isn't the best > option.. I have yet to try Apache, but I have heard it acts in the same > way - can someone clarify this? > > Thanks > > Tom > I have to apologize, I deleted the original post, but as I recall you have the actual forwarding working dandy. The only concern, which everyone has failed to address, is that you want the NAT'ed web servers to know the originating IP address for logging and IP-based security. Obviously, the reason you don't have this now is that the originating request is intercepted by squid on your gateway machine and then issueing a request to one of the internel web servers using it's "inside" IP address on the originator's behalf. You web server only ever sees the proxy's IP address. The question, then, is how to communicate the originaters IP address to the web server. I haven't answered previously because I'm no squid expert, but here is the solution that comes to my head: You could hack squid (assuming it doesn't have a knob to do it already) to include the originating IP address as a HTTP header in the proxied request. Then, modify your apps on the web server fetch the IP address from this header (i.e. via environment variable) as opposed to using the value the web server populates REMOTE_HOST with. However, the IP address in web server logs will still be that of the proxy unless you teach the web server to extract the IP from the new header. Of course, if you have the source to your web server (i.e. apache) then you could teach it to populate REMOTE_HOST with the IP address obtained from the squid-supplied header also and have it be transparent to your apps. All the said, you would have to take extra precautions in squid to not allow remote clients to supply the header themselves (i.e. to replace the header if it exists and add it if it doesn't), but this should be pretty straightforward. I hope that answers your question (assuming I am remembering it correctly :) ). Good luck! Kelly -- Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message