| Index | Alphabetical Index |
Option Name: | proxy_protocol_access |
---|---|
Replaces: | |
Requires: | |
Default Value: | all TCP connections to ports with require-proxy-header will be denied |
Suggested Config: |
|
Determine which client proxies can be trusted to provide correct information regarding real client IP address using PROXY protocol. Requests may pass through a chain of several other proxies before reaching us. The original source details may by sent in: * HTTP message Forwarded header, or * HTTP message X-Forwarded-For header, or * PROXY protocol connection header. This directive is solely for validating new PROXY protocol connections received from a port flagged with require-proxy-header. It is checked only once after TCP connection setup. A deny match results in TCP connection closure. An allow match is required for Squid to permit the corresponding TCP connection, before Squid even looks for HTTP request headers. If there is an allow match, Squid starts using PROXY header information to determine the source address of the connection for all future ACL checks, logging, etc. SECURITY CONSIDERATIONS: Any host from which we accept client IP details can place incorrect information in the relevant header, and Squid will use the incorrect information as if it were the source address of the request. This may enable remote hosts to bypass any access control restrictions that are based on the client's source addresses. This clause only supports fast acl types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. |
|
| Index | Alphabetical Index |