381757 – net-proxy/squid-3.1.15: Add --enable-follow-x-forwarded-for configure option to Squid proxy

Bug 381757 - net-proxy/squid-3.1.15: Add --enable-follow-x-forwarded-for configure option to Squid proxy

Summary: net-proxy/squid-3.1.15: Add --enable-follow-x-forwarded-for configure option ...

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	Normal enhancement (vote)
Assignee:	Gentoo Network Proxy Developers (OBSOLETE)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-09-04 10:25 UTC by Shaun Attfield
Modified:	2011-09-05 05:18 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
patch for squid-3.1.15.ebuild (squid-3.1.15-ebuild-x-forwarded.patch,351 bytes, patch) 2011-09-04 10:28 UTC, Shaun Attfield	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Shaun Attfield 2011-09-04 10:25:27 UTC

This configure flag (--enable-follow-x-forwarded-for) allows Squid to use the "forwarded for" header from earlier proxies in a proxy chain.
see http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/
This is especially useful in combination with net-proxy/dansguardian or some such.

This configure flag is enabled on other distros, including Debian.

This enables options that are, anyway, disabled by default in the configuration and need to be explicitly enabled in squid.conf, so enabling it at compile time will not have any security impact on existing systems.

An example of how to enable it for loging only from a forwarding proxy on localhost follows below (note that "off" is the default, listed here for clarity only):

acl localhost src 127.0.0.1
follow_x_forwarded_for allow localhost
follow_x_forwarded_for deny all
acl_uses_indirect_client off
delay_pool_uses_indirect_client off
log_uses_indirect_client on

I have been using this since squid-3.1.8 on x86 without indecent.

Reproducible: Always




emerge --info
Portage 2.1.10.11 (hardened/linux/x86, gcc-4.4.5, glibc-2.12.2-r0, 2.6.39-gentoo-r3 i686)
=================================================================
System uname: Linux-2.6.39-gentoo-r3-i686-Intel-R-_Celeron-R-_CPU_1.70GHz-with-gentoo-2.0.3
Timestamp of tree: Sun, 04 Sep 2011 00:45:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:          4.1_p9
dev-lang/python:          2.7.1-r1, 3.1.3-r1
dev-util/ccache:          2.4-r9
dev-util/cmake:           2.8.4-r1
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.0.3
sys-apps/openrc:          0.8.3-r1
sys-apps/sandbox:         2.4
sys-devel/autoconf:       2.68
sys-devel/automake:       1.10.3, 1.11.1
sys-devel/binutils:       2.20.1-r1
sys-devel/gcc:            4.4.5
sys-devel/gcc-config:     1.4.1-r1
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82
sys-kernel/linux-headers: 2.6.36.1 (virtual/os-headers)
sys-libs/glibc:           2.12.2
Repositories: gentoo local_overlay
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe"
DISTDIR="/var/portage/distfiles"
EMERGE_DEFAULT_OPTS="--keep-going --with-bdeps y"
FEATURES="assume-digests binpkg-logs ccache distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
FFLAGS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en en_ZA en_GB en_US"
MAKEOPTS="-j2"
PKGDIR="/var/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="7zip X X509 acl acpi ads alsa apache2 aspell aspnet2 async bash-completion berkdb bittorrent boost bzip2 cairo caps cgi chdir clamdtop cli corefonts cracklib crypt ctype cups curl cvs cxx daemon dbus dga discard-path dkim dri escreen exif extensions extras fam fontconfig force-cgi-redirect fts3 gcrypt gd gdbm geoip gmp gnutls gpg gpm gtalk hardened hddtemp hpn http iconv imagemagick imap inotify iostats iproute2 ipv6 ithreads jabber java6 javascript jpeg kerberos ldap libssh2 loop-aes maildir masquerade mbox metalink mime mmap mmx modules moonlight msn mudflap mysql mysqli mysqlnd ncurses netboot nfs nntp nptl nptlonly ocamlopt offensive opengl openldap openmp openssl otr pam pax_kernel pcmcia pcre pdf perl php pic png pop pop3d posix pppd prediction python quotas readline rss samba sasl session skey smi smime smtp snmp soap sockets span speedy speex spell spf sqlite sqlite3 srtp sse sse2 ssl subversion svg svga sysfs sysvipc tcpd threads tidy tk truetype twitter ulog unicode urandom usb userlocales vim-syntax vorbis web webdav webinterface x86 xattr xcb xforms xml xmlreader xmlrpc xmlwriter xorg xsl xterm-color zip zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias cgid" APACHE2_MPMS="worker" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog apache bind conntrack contextswitch cpu curl curl_json curl_xml dbi disk dns entropy exec fscache hddtemp iptables logfile mysql netlink network nfs ntpd openvpn ping processes protocols sensors snmp tail tcpconns thermal unixsock uptime users uuid vmem" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LINGUAS="en en_ZA en_GB en_US" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" SANE_BACKENDS="niash net test" USERLAND="GNU" VIDEO_CARDS="intel vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 Shaun Attfield 2011-09-04 10:28:09 UTC

Created attachment 285505 [details, diff]
patch for squid-3.1.15.ebuild

Comment 2 Eray Aslan gentoo-dev

2011-09-05 05:18:40 UTC

It is enabled by default.  Still, I will add it explicitly with the next bump.  Please reopen if you cannot use enable-follow-x-forwarded-for option.