Perlbal, Squid & X-Forwarded-For
Brad Fitzpatrick
brad at danga.com
Thu Jan 13 10:12:35 PST 2005
Kate,
By default we don't trust X-Forwarded-For from clients because we assume
upstream is an end-user that might be lying to us, and not a trusted Squid
or whatnot.
In the CVS version, you can set "trusted_upstreams" to true/1/on for a
service and its X-Forwarded-For is used instead of Perlbal replacing it.
As for appending a new one all the time, that'd be an easy change... just
modify lib/Perlbal/BackendHTTP.pm where it deals with X-Forwarded-For and
trusted, perhaps?
Let us know the behavior you want and perhaps Mark could add it.
- Brad
On Thu, 13 Jan 2005, Kate Turner wrote:
> Hi,
>
> We're considering trying Perlbal on our website, to load balance
> between the frontend squid servers (that the users see) and the
> apaches at the backend. At the moment we use X-Forwarded-For from the
> squid to know the client's real IP address (our web application
> requires this); Perlbal seems to have _some_ X-F-F support, but, as
> far as I can see, it ignores any X-F-F supplied by the 'client' (which
> in this case is squid).
>
> Would it be different to implement support for appending Perlbal's
> client's IP to the X-F-F, and forwarding the entire thing? E.g. if
> 1.2.3.4 is the client, and 10.0.0.1 is the squid, perlbal would
> forward:
>
> X-Forwarded-For: 1.2.3.4, 10.0.0.1
>
> to the apache. This is what we do with Pen at the moment, and it
> appears to work well.
>
> Thanks,
> Kate.
>
>
More information about the perlbal
mailing list