On Apr 25, 2011, at 4:09 AM, Amos Jeffries wrote: > On 22/04/11 02:08, jeffrey j donovan wrote: >> Greetings, >> >> I have a a transparent squid in a private net with a 1-1 NAT, Im >> trying to get a good understanding of what my clients look like to >> the outside. What is the Default setting " for forwarded_for" if my >> system is running intercept? > > "forwarded_for on" is the default for all modes. The client IP *as seen by > Squid* is added to the header. > >> to my understanding if I leave the >> X-Forwarded-For header my natted clients ip will be the visible >> requestor ? > > Whatever the client IP making the request was will be noted as the original > requestor. The internal "private" IP ranges have no meaning to external > viewers. They simply indicate that there was a NAT step. > >> in the past did we strip that out or is it something new? > > Nothing has changed in Squid. Maybe your config or something outside Squid > was playing with it. > >> is there a way to have the final request return the global NAT ip of >> the client ? > > There is no such global IP for the client, at least for port 80. The client > never touches the Internet when intercepted into Squid. This is one of the > few benefits of interception. > > Squid box is the only public TCP/IP address touching the Internet. > >> currently squid seems to be the final, i think. can >> someone clarify this option for me, thanks -j >> >> 192.168.1.2 ---> 192.168.1.1[ squid]10.10.10.1 -- 10.10.10.2 [ IP >> NAT ] -- GLOBAL >> > > Correct. > >> >> forwarded_for New setting options. transparent, truncate, delete. >> >> If set to "transparent", Squid will not alter the X-Forwarded-For >> header in any way. >> >> If set to "delete", Squid will delete the entire X-Forwarded-For >> header. >> >> If set to "truncate", Squid will remove all existing X-Forwarded-For >> entries, and place itself as the sole entry. >> > > ... as you cut-n-pasted from the documentation, that is what it does. > > The "place itself as the sole entry" was incorrect. Fixed in recent releases > to be "place the client IP as the sole entry" > > > Going back to your initial goal "get a good understanding of what my clients > look like to the outside"... > > The "outside" all sees Squid global IP connecting to them and making requests. > For smart web services that attempt to use advanced transfer features they > see the Via: header indicating the client and Squid capabilities so nothing > breaks halfway back. > For smart security systems that attempt IP-based security (the ones that do > it well anyway) they see the X-Forwarded-For header with a group of > identifiers that can be combined to classify different end clients apart. > > Amos
thanks for the clarity :) btw 3.2.12 build on Darwin ppc/intel works great. -j
