Perlbal, Squid & X-Forwarded-For
brad at danga.com
Thu Jan 13 10:12:35 PST 2005
By default we don't trust X-Forwarded-For from clients because we assume
upstream is an end-user that might be lying to us, and not a trusted Squid
In the CVS version, you can set "trusted_upstreams" to true/1/on for a
service and its X-Forwarded-For is used instead of Perlbal replacing it.
As for appending a new one all the time, that'd be an easy change... just
modify lib/Perlbal/BackendHTTP.pm where it deals with X-Forwarded-For and
Let us know the behavior you want and perhaps Mark could add it.
On Thu, 13 Jan 2005, Kate Turner wrote:
> We're considering trying Perlbal on our website, to load balance
> between the frontend squid servers (that the users see) and the
> apaches at the backend. At the moment we use X-Forwarded-For from the
> squid to know the client's real IP address (our web application
> requires this); Perlbal seems to have _some_ X-F-F support, but, as
> far as I can see, it ignores any X-F-F supplied by the 'client' (which
> in this case is squid).
> Would it be different to implement support for appending Perlbal's
> client's IP to the X-F-F, and forwarding the entire thing? E.g. if
> 184.108.40.206 is the client, and 10.0.0.1 is the squid, perlbal would
> X-Forwarded-For: 220.127.116.11, 10.0.0.1
> to the apache. This is what we do with Pen at the moment, and it
> appears to work well.
More information about the perlbal