how to determine originating IP address when apache is behind squid

Hi,

I'm running Apache 1.3.33 on Solaris. I'd like to use Squid in front of
Apache to handle caching static files. My current Apache config has a
number of rewrite rules that are dependent upon %{REMOTE_ADDR}. When
Squid is in use, %{REMOTE_ADDR} takes on the address of the squid proxy
for all requests. If I invoke a page to print the environment settings
with Squid as a front end, I see HTTP_X_FORWARDED_FOR set to the
originating IP address. This comes from a header added by Squid. I've
determined that I can log this value in my access log using
%{HTTP_X_FORWARDED_FOR}e.

I have not been able to find a way to access this value in Apache
rewrite rules/setenv directives. I've tried the following:

# init IPOK flag
RewriteRule .* - [E=IPOK:0]

# try 1
RewriteCond %{HTTP_X_FORWARDED_FOR} ^10\.28\.40\.2$
RewriteRule .* - [E=IPOK:1]

# try 2
RewriteCond %{X_FORWARDED_FOR} ^10\.28\.40\.2$
RewriteRule .* - [E=IPOK:2]

# try 3
SetEnvIf HTTP_X_FORWARDED_FOR ^10\.28\.40\.2$ IPOK=3

# try 4
SetEnvIf X_FORWARDED_FOR ^10\.28\.40\.2$ IPOK=4

The only one of the above that is acted upon is the first, setting IPOK
to 0. I was hoping to set IPOK and then use it as follows:


AllowOverride None

AuthType basic
AuthName "Restricted"
AuthUserFile conf/password.file
require user admin

# allow access by IP
Order deny,allow
Deny from all
# monitoring systems
Allow from 10.20.34.0/24
# if IP ok
Allow from env=IPOK

Satisfy any


Any suggestions welcomed. Also, any suggestions for Squid support fora
appreciated.

Jim

None of these

Re: how to determine originating IP address when apache is behind squid

Post removed (X-No-Archive: yes)

Re: how to determine originating IP address when apache is behindsquid

Davide Bianchi wrote:
> On 2006-10-03, Jim Hayter wrote:
>> Squid is in use, %{REMOTE_ADDR} takes on the address of the squid proxy
>> for all requests.
>
> Yes, this is the default behavour of Squid, you can alter this in
> Apache by doing something like
>
> SetEnvIf X-Forwarded-For (.*) REMOTE_ADDR=$1
>
> (see http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#seten vif)
>
> Davide
>

That may give me the justification I need to argue for an upgrade from
Apache 1.3.33 to 2.2. 1.3.33 does not provide the reg-ex capability in
the SetEnvIf directive.

Jim

Re: how to determine originating IP address when apache is behind squid

On Oct 3, 3:01 pm, Jim Hayter wrote:
> Hi,
>
> I'm running Apache 1.3.33 on Solaris. I'd like to use Squid in front of
> Apache to handle caching static files. My current Apache config has a
> number of rewrite rules that are dependent upon %{REMOTE_ADDR}. When
> Squid is in use, %{REMOTE_ADDR} takes on the address of the squid proxy
> for all requests. If I invoke a page to print the environment settings
> with Squid as a front end, I see HTTP_X_FORWARDED_FOR set to the
> originating IP address. This comes from a header added by Squid. I've
> determined that I can log this value in my access log using
> %{HTTP_X_FORWARDED_FOR}e.
>
> I have not been able to find a way to access this value in Apache
> rewrite rules/setenv directives. I've tried the following:
>
> # init IPOK flag
> RewriteRule .* - [E=IPOK:0]
>
> # try 1
> RewriteCond %{HTTP_X_FORWARDED_FOR} ^10\.28\.40\.2$

The RewriteCond docs will tell you that arbitrary HTTP headers are
accessed using the format %{HTTP:X-Forwarded-For}.

But watch out. The X-Forwarded-For header can easily contain a
comma-separated list of IP addresses rather than a single address if
the request passes through multiple proxies (or if the client is just
trying to be nasty).

Joshua.