From: Amos Jeffries Date: Fri, 29 Jan 2010 11:44:04 +0000 (+1300) Subject: Author: Wolfgang Nothdurft X-Git-Tag: SQUID_3_1_0_16~16 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=af731e3c5ed15de5174fdab08745f77fdd5535a7;p=thirdparty%2Fsquid.git Author: Wolfgang Nothdurft Bug 2731: Add follow_x_forwarded_for support to ICAP Pass the indirect client address to the ICAP server using X-Client-IP. --- diff --git a/src/adaptation/Config.h b/src/adaptation/Config.h index 711dcc96ef..d35da51817 100644 --- a/src/adaptation/Config.h +++ b/src/adaptation/Config.h @@ -39,6 +39,7 @@ public: int send_client_username; int service_failure_limit; int service_revival_delay; + int icap_uses_indirect_client; Vector serviceConfigs; diff --git a/src/adaptation/icap/ModXact.cc b/src/adaptation/icap/ModXact.cc index 42f05709fa..bddee51219 100644 --- a/src/adaptation/icap/ModXact.cc +++ b/src/adaptation/icap/ModXact.cc @@ -1249,9 +1249,17 @@ void Adaptation::Icap::ModXact::makeRequestHeaders(MemBuf &buf) virginBodySending.plan(); } - if (TheConfig.send_client_ip && request) - if (!request->client_addr.IsAnyAddr() && !request->client_addr.IsNoAddr()) - buf.Printf("X-Client-IP: %s\r\n", request->client_addr.NtoA(ntoabuf,MAX_IPSTRLEN)); + if (TheConfig.send_client_ip && request) { + IpAddress client_addr; +#if FOLLOW_X_FORWARDED_FOR + if (TheConfig.icap_uses_indirect_client) { + client_addr = request->indirect_client_addr; + } else +#endif + client_addr = request->client_addr; + if (!client_addr.IsAnyAddr() && !client_addr.IsNoAddr()) + buf.Printf("X-Client-IP: %s\r\n", client_addr.NtoA(ntoabuf,MAX_IPSTRLEN)); + } if (TheConfig.send_client_username && request) makeUsernameHeader(request, buf); diff --git a/src/cf.data.pre b/src/cf.data.pre index 5bcc7182f6..2412d74119 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -750,10 +750,10 @@ DOC_START The end result of this process is an IP address that we will refer to as the indirect client address. This address may - be treated as the client address for access control, delay + be treated as the client address for access control, ICAP, delay pools and logging, depending on the acl_uses_indirect_client, - delay_pool_uses_indirect_client and log_uses_indirect_client - options. + icap_uses_indirect_client, delay_pool_uses_indirect_client and + log_uses_indirect_client options. This clause only supports fast acl types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -3563,6 +3563,19 @@ Example: broken_posts allow buggy_server DOC_END +NAME: icap_uses_indirect_client +COMMENT: on|off +TYPE: onoff +IFDEF: FOLLOW_X_FORWARDED_FOR +DEFAULT: on +LOC: Adaptation::Icap::TheConfig.icap_uses_indirect_client +DOC_START + Controls whether the indirect client address + (see follow_x_forwarded_for) instead of the + direct client address is passed to an ICAP + server as "X-Client-IP". +DOC_END + NAME: via IFDEF: HTTP_VIOLATIONS COMMENT: on|off diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 318cc174aa..d46353d72b 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -399,13 +399,13 @@ ClientRequestContext::httpStateIsValid() #if FOLLOW_X_FORWARDED_FOR /** - * clientFollowXForwardedForCheck() checks the content of X-Forwarded-For: + * clientFollowXForwardedForCheck() checks the content of X-Forwarded-For: * against the followXFF ACL, or cleans up and passes control to * clientAccessCheck(). * * The trust model here is a little ambiguous. So to clarify the logic: * - we may always use the direct client address as the client IP. - * - these trust tests merey tell whether we trust given IP enough to believe the + * - these trust tests merey tell whether we trust given IP enough to believe the * IP string which it appended to the X-Forwarded-For: header. * - if at any point we don't trust what an IP adds we stop looking. * - at that point the current contents of indirect_client_addr are the value set