Default-OFF and extra warnings for tproxy_uses_indirect_client option

author Amos Jeffries <squid3@treenet.co.nz>

Tue, 25 May 2010 11:27:15 +0000 (23:27 +1200)

committer Amos Jeffries <squid3@treenet.co.nz>

Tue, 25 May 2010 11:27:15 +0000 (23:27 +1200)
author Amos Jeffries <squid3@treenet.co.nz>
Tue, 25 May 2010 11:27:15 +0000 (23:27 +1200)
committer Amos Jeffries <squid3@treenet.co.nz>
Tue, 25 May 2010 11:27:15 +0000 (23:27 +1200)
diff --git a/src/cf.data.pre b/src/cf.data.pre

index 96fb15d3a6945332fd6b072b7d849f5d7c223c34..279132fad1687fa12b935291a7a36a63328c4de3 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -871,12 +871,20 @@ NAME: tproxy_uses_indirect_client
  COMMENT: on|off
  TYPE: onoff
  IFDEF: FOLLOW_X_FORWARDED_FOR&&LINUX_NETFILTER
-DEFAULT: on
+DEFAULT: off
  LOC: Config.onoff.tproxy_uses_indirect_client
  DOC_START
         Controls whether the indirect client address
         (see follow_x_forwarded_for) is used instead of the
         direct client address when spoofing the outgoing client.
+
+       This has no effect on requests arriving in non-tproxy
+       mode ports.
+
+       SECURITY WARNING: Usage of this option is dangerous
+       and should not be used trivially. Correct configuration
+       of folow_x_forewarded_for with a limited set of trusted
+       sources is required to prevent abuse of your proxy.
  DOC_END
  
  NAME: http_access
author	Amos Jeffries <squid3@treenet.co.nz>
	Tue, 25 May 2010 11:27:15 +0000 (23:27 +1200)
committer	Amos Jeffries <squid3@treenet.co.nz>
	Tue, 25 May 2010 11:27:15 +0000 (23:27 +1200)