Perlbal, Squid & X-Forwarded-For

Kate Turner kate.turner at
Thu Jan 13 10:30:53 PST 2005

Hi Brad.  Thanks for the quick reply :-)

On Thu, 13 Jan 2005 10:12:35 -0800 (PST), Brad Fitzpatrick
<brad at> wrote:
> By default we don't trust X-Forwarded-For from clients because we assume
> upstream is an end-user that might be lying to us, and not a trusted Squid
> or whatnot.

*nod*.  We actually pass X-F-F through squid (so the client can supply
their own, too..) but filter it at the backend.  I see this isn't the
best behaviour for everyone though :-)
> In the CVS version, you can set "trusted_upstreams" to true/1/on for a
> service and its X-Forwarded-For is used instead of Perlbal replacing it.

That sounds good.  I'll see if I can have a look at this later...

> As for appending a new one all the time, that'd be an easy change... just
> modify lib/Perlbal/ where it deals with X-Forwarded-For and
> trusted, perhaps?

Hm.. if trusted_upstreams simply passes it through untouched, I think
that should work fine as-is  -  the backend doesn't care whether it
went through perlbal or not.

> - Brad


More information about the perlbal mailing list