From: Amos Jeffries <squid3@treenet.co.nz>
Date: Thu, 21 Jan 2010 10:22:02 +0000 (+1300)
Subject: Author: Wolfgang Nothdurft <wolfgang@linogate.de>
X-Git-Tag: SQUID_3_2_0_1~453
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=57d76dd4111628fdc083c3b0eac3f1ebf04d97d1;p=thirdparty%2Fsquid.git

Author: Wolfgang Nothdurft <wolfgang@linogate.de>
Bug 2731: Add follow_x_forwarded_for support to ICAP

Pass the indirect client address to the ICAP server using X-Client-IP.
---

diff --git a/src/adaptation/Config.h b/src/adaptation/Config.h
index 711dcc96ef..d35da51817 100644
--- a/src/adaptation/Config.h
+++ b/src/adaptation/Config.h
@@ -39,6 +39,7 @@ public:
     int send_client_username;
     int service_failure_limit;
     int service_revival_delay;
+    int icap_uses_indirect_client;
 
     Vector<ServiceConfig*> serviceConfigs;
 
diff --git a/src/adaptation/icap/ModXact.cc b/src/adaptation/icap/ModXact.cc
index 42f05709fa..83ae9eef69 100644
--- a/src/adaptation/icap/ModXact.cc
+++ b/src/adaptation/icap/ModXact.cc
@@ -1250,8 +1250,17 @@ void Adaptation::Icap::ModXact::makeRequestHeaders(MemBuf &buf)
     }
 
     if (TheConfig.send_client_ip && request)
-        if (!request->client_addr.IsAnyAddr() && !request->client_addr.IsNoAddr())
-            buf.Printf("X-Client-IP: %s\r\n", request->client_addr.NtoA(ntoabuf,MAX_IPSTRLEN));
+    {
+        IpAddress client_addr;
+#if FOLLOW_X_FORWARDED_FOR
+	if (TheConfig.icap_uses_indirect_client) {
+	    client_addr = request->indirect_client_addr;
+	} else
+#endif
+	client_addr = request->client_addr;
+	if(!client_addr.IsAnyAddr() && !client_addr.IsNoAddr())
+	    buf.Printf("X-Client-IP: %s\r\n", client_addr.NtoA(ntoabuf,MAX_IPSTRLEN));
+    }
 
     if (TheConfig.send_client_username && request)
         makeUsernameHeader(request, buf);
diff --git a/src/cf.data.pre b/src/cf.data.pre
index 5df6d78e38..d384893abd 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -800,10 +800,10 @@ DOC_START
 
 	The end result of this process is an IP address that we will
 	refer to as the indirect client address.  This address may
-	be treated as the client address for access control, delay
+	be treated as the client address for access control, ICAP, delay
 	pools and logging, depending on the acl_uses_indirect_client,
-	delay_pool_uses_indirect_client and log_uses_indirect_client
-	options.
+	icap_uses_indirect_client, delay_pool_uses_indirect_client and
+	log_uses_indirect_client options.
 
 	This clause only supports fast acl types.
 	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
@@ -3681,6 +3681,19 @@ Example:
  broken_posts allow buggy_server
 DOC_END
 
+NAME: icap_uses_indirect_client
+COMMENT: on|off
+TYPE: onoff
+IFDEF: FOLLOW_X_FORWARDED_FOR
+DEFAULT: on
+LOC: Adaptation::Icap::TheConfig.icap_uses_indirect_client
+DOC_START
+   Controls whether the indirect client address
+   (see follow_x_forwarded_for) instead of the
+   direct client address is passed to an ICAP
+   server as "X-Client-IP".
+DOC_END
+
 NAME: via
 IFDEF: HTTP_VIOLATIONS
 COMMENT: on|off