Perlbal, Squid & X-Forwarded-For

Brad Fitzpatrick brad at
Thu Jan 13 10:12:35 PST 2005


By default we don't trust X-Forwarded-For from clients because we assume
upstream is an end-user that might be lying to us, and not a trusted Squid
or whatnot.

In the CVS version, you can set "trusted_upstreams" to true/1/on for a
service and its X-Forwarded-For is used instead of Perlbal replacing it.

As for appending a new one all the time, that'd be an easy change... just
modify lib/Perlbal/ where it deals with X-Forwarded-For and
trusted, perhaps?

Let us know the behavior you want and perhaps Mark could add it.

- Brad

On Thu, 13 Jan 2005, Kate Turner wrote:

> Hi,
> We're considering trying Perlbal on our website, to load balance
> between the frontend squid servers (that the users see) and the
> apaches at the backend.  At the moment we use X-Forwarded-For from the
> squid to know the client's real IP address (our web application
> requires this); Perlbal seems to have _some_ X-F-F support, but, as
> far as I can see, it ignores any X-F-F supplied by the 'client' (which
> in this case is squid).
> Would it be different to implement support for appending Perlbal's
> client's IP to the X-F-F, and forwarding the entire thing?  E.g. if
> is the client, and is the squid, perlbal would
> forward:
> X-Forwarded-For:,
> to the apache.  This is what we do with Pen at the moment, and it
> appears to work well.
> Thanks,
> Kate.

More information about the perlbal mailing list