From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 25 May 2010 11:27:15 +0000 (+1200)
Subject: Default-OFF and extra warnings for tproxy_uses_indirect_client option
X-Git-Tag: SQUID_3_2_0_1~195
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4d7ab5a20cc53782fdc482a565bd5c9cdf4df871;p=thirdparty%2Fsquid.git

Default-OFF and extra warnings for tproxy_uses_indirect_client option
---

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 96fb15d3a6..279132fad1 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -871,12 +871,20 @@ NAME: tproxy_uses_indirect_client
 COMMENT: on|off
 TYPE: onoff
 IFDEF: FOLLOW_X_FORWARDED_FOR&&LINUX_NETFILTER
-DEFAULT: on
+DEFAULT: off
 LOC: Config.onoff.tproxy_uses_indirect_client
 DOC_START
 	Controls whether the indirect client address
 	(see follow_x_forwarded_for) is used instead of the
 	direct client address when spoofing the outgoing client.
+
+	This has no effect on requests arriving in non-tproxy
+	mode ports.
+
+	SECURITY WARNING: Usage of this option is dangerous
+	and should not be used trivially. Correct configuration
+	of folow_x_forewarded_for with a limited set of trusted
+	sources is required to prevent abuse of your proxy.
 DOC_END
 
 NAME: http_access