3

I have got a few web servers running on my server and I want all of them to be accessible via port 80. I set up squid as a reverse proxy and it works fine. I, however, need the source ip address to be kept when the requests are redirected to the servers. Otherwise, the servers see all the connections to be originated from localhost, which isn't very good.

I know there is an option forwarded_for which creates X-Forwarded-For header, but it is not really transparent and not every server supports it.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
tach
  • 131
  • 3
  • You need to look at [Tproxy](http://wiki.squid-cache.org/Features/Tproxy4). – Khaled Apr 23 '13 at 13:14
  • Do you need squid or could you replace it with another proxy? – Izzy Apr 23 '13 at 13:38
  • I look at the TProxy. I would be very happy, if I could keep squid, however, if there is a better alternative, I can switch. – tach Apr 23 '13 at 13:53
  • If you had squid keep the original clients IP in the TCP headers the web servers would need to have the transparent squid proxy set as their default gateway in order for the traffic to get back to where it came from I believe. – jwbensley Apr 23 '13 at 14:15
  • Since it is on the same machine, the packets can be intercepted on their way back. It can be difficult to implement, but still possible. – tach Apr 23 '13 at 14:20
  • It is impossible to do this with squid/tproxy (that is the "other way" proxying, not reverse proxying). Is it really impossible for you to use the X-Forwarded-For header? Where do you require the remote IP? For the logs, you could simply change the LogFormat (assuming this is apache httpd, though it should be possible in any decent webserver) to use %{X-Forwarded-For}i for instance. If you also require the remote IP in other places where you would usually expect it, have a look at modules that will do this for you, http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html for instance. – eike Apr 23 '13 at 17:22
  • Ok. Why do I require it? I have more webservers - some of them custom made (qwebirc, webmin ...), they don't support XFF and some of them use ip access list to limit the access to them. However, If you say it is really impossible to make reverse proxy fully transparent I'll go with the XFF approach and hack the access rights differently. Thank you very much. – tach Apr 23 '13 at 21:32
  • Not sure if Squid can do this, but this is basically the difference between a load-balancer proxy vs load-balancer switch. Proxy implies a separate TCP connecton from proxy to server will be made on behalf of the client. H/W load-balancers act more like switches that do all the IP NAT'ing and don't have to work like a proxy (but could if you wanted to configure that way); packets are basically "cut-through". – generalnetworkerror Apr 25 '13 at 09:22

0 Answers0