Date: Wed, 12 Dec 2001 15:27:01 +1300 From: Tom Peck <tom@masaclaw.co.nz> To: Kelly Yancey <kbyanc@posi.net>, freebsd-net@FreeBSD.ORG Subject: RE: 1 IP - 1 Firewall - 2 Webservers Message-ID: <5.1.0.14.2.20011212151716.0289a4a8@mail.masaclaw.co.nz> In-Reply-To: <Pine.BSF.4.21.0112111805160.30401-100000@gateway.posi.net> References: <5.1.0.14.2.20011212123256.02871e50@mail.masaclaw.co.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Kelly! At 18:18 11/12/2001 -0800, you wrote: > I have to apologize, I deleted the original post, but as I recall you have >the actual forwarding working dandy. The only concern, which everyone has >failed to address, is that you want the NAT'ed web servers to know the >originating IP address for logging and IP-based security. Obviously, the >reason you don't have this now is that the originating request is intercepted >by squid on your gateway machine and then issueing a request to one of the >internel web servers using it's "inside" IP address on the originator's >behalf. You web server only ever sees the proxy's IP address. YES! That's exactly the problem! Your memory is obviously far superior to most :-). > The question, then, is how to communicate the originaters IP address to the >web server. I haven't answered previously because I'm no squid expert, but >here is the solution that comes to my head: > > You could hack squid (assuming it doesn't have a knob to do it already) to >include the originating IP address as a HTTP header in the proxied >request. Then, modify your apps on the web server fetch the IP address from >this header (i.e. via environment variable) as opposed to using the value the >web server populates REMOTE_HOST with. However, the IP address in web server >logs will still be that of the proxy unless you teach the web server to >extract the IP from the new header. Ok, now we are getting over my head some what.. Installing from source is one thing, but modifying that source before installing is another - beyond what I am willing and capable to do... > Of course, if you have the source to your web server (i.e. apache) then you >could teach it to populate REMOTE_HOST with the IP address obtained from the >squid-supplied header also and have it be transparent to your apps. And if we don't :-( One of the servers has a pre-complied OS which cannot be altered in this way. Surely there must be a simpler way!! > All the said, you would have to take extra precautions in squid to not > allow >remote clients to supply the header themselves (i.e. to replace the header if >it exists and add it if it doesn't), but this should be pretty >straightforward. > > I hope that answers your question (assuming I am remembering it correctly >:) ). Good luck! Thanks for the time taken in responding to my problem. Unfortunately we are not prepared to go to these lengths to get the thing working how we would like it.. I'm quite surprised there isn't something available to make this feasible. Cheers Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.2.20011212151716.0289a4a8>