X-forward squid reverse Proxy



  • Hi,

    i have pfsense with multiple Server behind it. (nginx)

    My wish is to have the Original IP in the logs for piwik. I think you have to activate the  ### add mod_extforward ####    "mod_extforward" in the reverse proxy lighthttp (found in /etc/inc/system.inc).

    The description i think is here http://www.cyberciti.biz/faq/nginx-extract-the-clients-real-ip-from-x-forwarded-for-header/ but i do not know how to acitivate it in pfsense.

    How can i enable this Module and is there a chance to activate other modules and options (like gzip) ?

    Maybe there is another solution for my problem?

    Thanks and best regards
    celtar



  • Something that worked for me is

    Basically you have to set it on and then exclude sending the inner IPs out:

    Enter something like this under Squid3: Proxy Server/General Settings Tab/Custom ACLS (Before Auth)

    #header_replace X-Forwarded-For
    forwarded_for on

    acl mxln src 10.0.0.0/24 # RFC1918 possible internal network
    acl mxlno src 10.0.1.0/24 # RFC1918 possible internal network
    acl mxlnr src 10.0.2.0/24 # RFC1918 possible internal network

    reply_header_access X-Cache-Lookup deny !mxln
    reply_header_access X-Cache-Lookup deny !mxlno
    reply_header_access X-Cache-Lookup deny !mxlnr
    reply_header_access X-Squid-Error deny !mxln
    reply_header_access X-Squid-Error deny !mxlno
    reply_header_access X-Squid-Error deny !mxlnr
    reply_header_access X-Cache deny !mxln
    reply_header_access X-Cache deny !mxlno
    reply_header_access X-Cache deny !mxlnr
    reply_header_access Via deny !mxln
    reply_header_access Via deny !mxlno
    reply_header_access Via deny !mxlnr


Log in to reply