int send_client_username;
int service_failure_limit;
int service_revival_delay;
+ int icap_uses_indirect_client;
Vector<ServiceConfig*> serviceConfigs;
virginBodySending.plan();
}
- if (TheConfig.send_client_ip && request)
- if (!request->client_addr.IsAnyAddr() && !request->client_addr.IsNoAddr())
- buf.Printf("X-Client-IP: %s\r\n", request->client_addr.NtoA(ntoabuf,MAX_IPSTRLEN));
+ if (TheConfig.send_client_ip && request) {
+ IpAddress client_addr;
+#if FOLLOW_X_FORWARDED_FOR
+ if (TheConfig.icap_uses_indirect_client) {
+ client_addr = request->indirect_client_addr;
+ } else
+#endif
+ client_addr = request->client_addr;
+ if (!client_addr.IsAnyAddr() && !client_addr.IsNoAddr())
+ buf.Printf("X-Client-IP: %s\r\n", client_addr.NtoA(ntoabuf,MAX_IPSTRLEN));
+ }
if (TheConfig.send_client_username && request)
makeUsernameHeader(request, buf);
The end result of this process is an IP address that we will
refer to as the indirect client address. This address may
- be treated as the client address for access control, delay
+ be treated as the client address for access control, ICAP, delay
pools and logging, depending on the acl_uses_indirect_client,
- delay_pool_uses_indirect_client and log_uses_indirect_client
- options.
+ icap_uses_indirect_client, delay_pool_uses_indirect_client and
+ log_uses_indirect_client options.
This clause only supports fast acl types.
See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
broken_posts allow buggy_server
DOC_END
+NAME: icap_uses_indirect_client
+COMMENT: on|off
+TYPE: onoff
+IFDEF: FOLLOW_X_FORWARDED_FOR
+DEFAULT: on
+LOC: Adaptation::Icap::TheConfig.icap_uses_indirect_client
+DOC_START
+ Controls whether the indirect client address
+ (see follow_x_forwarded_for) instead of the
+ direct client address is passed to an ICAP
+ server as "X-Client-IP".
+DOC_END
+
NAME: via
IFDEF: HTTP_VIOLATIONS
COMMENT: on|off
#if FOLLOW_X_FORWARDED_FOR
/**
- * clientFollowXForwardedForCheck() checks the content of X-Forwarded-For:
+ * clientFollowXForwardedForCheck() checks the content of X-Forwarded-For:
* against the followXFF ACL, or cleans up and passes control to
* clientAccessCheck().
*
* The trust model here is a little ambiguous. So to clarify the logic:
* - we may always use the direct client address as the client IP.
- * - these trust tests merey tell whether we trust given IP enough to believe the
+ * - these trust tests merey tell whether we trust given IP enough to believe the
* IP string which it appended to the X-Forwarded-For: header.
* - if at any point we don't trust what an IP adds we stop looking.
* - at that point the current contents of indirect_client_addr are the value set
projects / thirdparty / squid.git / commitdiff
