Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    X-forward squid reverse Proxy

    Scheduled Pinned Locked Moved Cache/Proxy
    2 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      celtarblackspotme
      last edited by

      Hi,

      i have pfsense with multiple Server behind it. (nginx)

      My wish is to have the Original IP in the logs for piwik. I think you have to activate the  ### add mod_extforward ####    "mod_extforward" in the reverse proxy lighthttp (found in /etc/inc/system.inc).

      The description i think is here http://www.cyberciti.biz/faq/nginx-extract-the-clients-real-ip-from-x-forwarded-for-header/ but i do not know how to acitivate it in pfsense.

      How can i enable this Module and is there a chance to activate other modules and options (like gzip) ?

      Maybe there is another solution for my problem?

      Thanks and best regards
      celtar

      1 Reply Last reply Reply Quote 0
      • M
        maex
        last edited by

        Something that worked for me is

        Basically you have to set it on and then exclude sending the inner IPs out:

        Enter something like this under Squid3: Proxy Server/General Settings Tab/Custom ACLS (Before Auth)

        #header_replace X-Forwarded-For
        forwarded_for on

        acl mxln src 10.0.0.0/24 # RFC1918 possible internal network
        acl mxlno src 10.0.1.0/24 # RFC1918 possible internal network
        acl mxlnr src 10.0.2.0/24 # RFC1918 possible internal network

        reply_header_access X-Cache-Lookup deny !mxln
        reply_header_access X-Cache-Lookup deny !mxlno
        reply_header_access X-Cache-Lookup deny !mxlnr
        reply_header_access X-Squid-Error deny !mxln
        reply_header_access X-Squid-Error deny !mxlno
        reply_header_access X-Squid-Error deny !mxlnr
        reply_header_access X-Cache deny !mxln
        reply_header_access X-Cache deny !mxlno
        reply_header_access X-Cache deny !mxlnr
        reply_header_access Via deny !mxln
        reply_header_access Via deny !mxlno
        reply_header_access Via deny !mxlnr

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.