---------------------
PatchSet 289 
Date: 2002/12/09 14:23:57
Author: apbarrett
Branch: follow_xff
Tag: (none) 
Log:
Add the Config.accessList.followXFF access list, set using
"follow_x_forwarded_for" syntax in the configuration file, and
defaulting to "deny all".

Add acl_uses_indirect_client, delay_pool_uses_indirect_client and
log_uses_indirect_client configuration flags, all defaulting to "on".

Members: 
	src/cf.data.pre:1.6->1.6.2.1 
	src/structs.h:1.9->1.9.2.1 

Index: squid3/src/cf.data.pre
===================================================================
RCS file: /cvsroot/squid-sf//squid3/src/cf.data.pre,v
retrieving revision 1.6
retrieving revision 1.6.2.1
diff -u -r1.6 -r1.6.2.1
--- squid3/src/cf.data.pre	18 Nov 2002 03:12:57 -0000	1.6
+++ squid3/src/cf.data.pre	9 Dec 2002 14:23:57 -0000	1.6.2.1
@@ -1,6 +1,6 @@
 
 #
-# $Id: cf.data.pre,v 1.6 2002/11/18 03:12:57 squidadm Exp $
+# $Id: cf.data.pre,v 1.6.2.1 2002/12/09 14:23:57 apbarrett Exp $
 #
 #
 # SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -3577,6 +3577,92 @@
  broken_posts allow buggy_server
 DOC_END
 
+NAME: follow_x_forwarded_for
+TYPE: acl_access
+IFDEF: FOLLOW_X_FORWARDED_FOR
+LOC: Config.accessList.followXFF
+DEFAULT: none
+DEFAULT_IF_NONE: deny all
+DOC_START
+	Allowing or Denying the X-Forwarded-For header to be followed to
+	find the original source of a request.
+
+	Requests may pass through a chain of several other proxies
+	before reaching us.  The X-Forwarded-For header will contain a
+	comma-separated list of the IP addresses in the chain, with the
+	rightmost address being the most recent.
+
+	If a request reaches us from a source that is allowed by this
+	configuration item, then we consult the X-Forwarded-For header
+	to see where that host received the request from.  If the
+	X-Forwarded-For header contains multiple addresses, and if
+	acl_uses_indirect_client is on, then we continue backtracking
+	until we reach an address for which we are not allowed to
+	follow the X-Forwarded-For header, or until we reach the first
+	address in the list.  (If acl_uses_indirect_client is off, then
+	it's impossible to backtrack through more than one level of
+	X-Forwarded-For addresses.)
+
+	The end result of this process is an IP address that we will
+	refer to as the indirect client address.  This address may
+	be treated as the client address for access control, delay
+	pools and logging, depending on the acl_uses_indirect_client,
+	delay_pool_uses_indirect_client and log_uses_indirect_client
+	options.
+
+	SECURITY CONSIDERATIONS:
+
+		Any host for which we follow the X-Forwarded-For header
+		can place incorrect information in the header, and Squid
+		will use the incorrect information as if it were the
+		source address of the request.  This may enable remote
+		hosts to bypass any access control restrictions that are
+		based on the client's source addresses.
+
+	For example:
+
+		acl localhost src 127.0.0.1
+		acl my_other_proxy srcdomain .proxy.foo.com
+		follow_x_forwarded_for allow localhost
+		follow_x_forwarded_for allow my_other_proxy
+DOC_END
+
+NAME: acl_uses_indirect_client
+COMMENT: on|off
+TYPE: onoff
+IFDEF: FOLLOW_X_FORWARDED_FOR
+DEFAULT: on
+LOC: Config.onoff.acl_uses_indirect_client
+DOC_START
+	Controls whether the indirect client address
+	(see follow_x_forwarded_for) is used instead of the
+	direct client address in acl matching.
+DOC_END
+
+NAME: delay_pool_uses_indirect_client
+COMMENT: on|off
+TYPE: onoff
+IFDEF: FOLLOW_X_FORWARDED_FOR && DELAY_POOLS
+DEFAULT: on
+LOC: Config.onoff.delay_pool_uses_indirect_client
+DOC_START
+	Controls whether the indirect client address
+	(see follow_x_forwarded_for) is used instead of the
+	direct client address in delay pools.
+DOC_END
+
+NAME: log_uses_indirect_client
+COMMENT: on|off
+TYPE: onoff
+IFDEF: FOLLOW_X_FORWARDED_FOR
+DEFAULT: on
+LOC: Config.onoff.log_uses_indirect_client
+DOC_START
+	Controls whether the indirect client address
+	(see follow_x_forwarded_for) is used instead of the
+	direct client address in the access log.
+DOC_END
+
 NAME: mcast_miss_addr
 IFDEF: MULTICAST_MISS_STREAM
 TYPE: address
Index: squid3/src/structs.h
===================================================================
RCS file: /cvsroot/squid-sf//squid3/src/structs.h,v
retrieving revision 1.9
retrieving revision 1.9.2.1
diff -u -r1.9 -r1.9.2.1
--- squid3/src/structs.h	18 Nov 2002 03:12:57 -0000	1.9
+++ squid3/src/structs.h	9 Dec 2002 14:23:57 -0000	1.9.2.1
@@ -1,6 +1,6 @@
 
 /*
- * $Id: structs.h,v 1.9 2002/11/18 03:12:57 squidadm Exp $
+ * $Id: structs.h,v 1.9.2.1 2002/12/09 14:23:57 apbarrett Exp $
  *
  *
  * SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -502,6 +502,11 @@
 	int check_hostnames;
 	int via;
 	int emailErrData;
+#if FOLLOW_X_FORWARDED_FOR
+	int acl_uses_indirect_client;
+	int delay_pool_uses_indirect_client;
+	int log_uses_indirect_client;
+#endif /* FOLLOW_X_FORWARDED_FOR */
     } onoff;
     acl *aclList;
     struct {
@@ -523,6 +528,9 @@
 	acl_access *reply;
 	acl_address *outgoing_address;
 	acl_tos *outgoing_tos;
+#if FOLLOW_X_FORWARDED_FOR
+	acl_access *followXFF;
+#endif /* FOLLOW_X_FORWARDED_FOR */
     } accessList;
     acl_deny_info_list *denyInfoList;
     authConfig authConfiguration;