This article describes how you can rebuild the Squid 2.6 package for Debian Etch with support for X-Forwarded-For headers – this feature is not enabled in the default Debian Etch Squid package. This feature is useful if you are using Squid as a reverse proxy for your web site and are using a load balancer (such as HAProxy) in front of Squid – it allows us to track the client’s original IP address instead of the load balancer’s IP address (which to Squid appears as the client).
From the Squid documentation:
Requests may pass through a chain of several other proxies before reaching us. The X-Forwarded-For header will contain a comma-separated list of the IP addresses in the chain, with the rightmost address being the most recent. If a request reaches us from a source that is allowed by this configuration item, then we consult the X-Forwarded-For header to see where that host received the request from. If the X-Forwarded-For header contains multiple addresses, and if acl_uses_indirect_client is on, then we continue backtracking until we reach an address for which we are not allowed to follow the X-Forwarded-For header, or until we reach the first address in the list. (If acl_uses_indirect_client is off, then it’s impossible to backtrack through more than one level of X-Forwarded-For addresses.)
The end result of this process is an IP address that we will refer to as the indirect client address. This address may be treated as the client address for access control, delay pools and logging, depending on the acl_uses_indirect_client, delay_pool_uses_indirect_client and log_uses_indirect_client options.
You can use the following configuration options in squid.conf if the feature is enabled:
I do not issue any guarantee that this will work for you!
First we install some compilers and development tools:
apt-get install devscripts build-essential fakeroot
Next we install the Squid source package…
apt-get source squid
… and the dependencies for building a new Squid package:
apt-get build-dep squid
Then we go to the debian directory within the Squid directory…
… and open the rules file:
There you should find a section that starts as follows…
# Configure the package.
… followed by Squid configuration options. Add the line –enable-follow-x-forwarded-for \ to the configuration options so that the section looks as follows:
[...] # Configure the package. config.status: $(opt_ac_cv_func_setresuid) \ ./configure \ --prefix=/usr \ --exec_prefix=/usr \ --bindir=/usr/sbin --sbindir=/usr/sbin \ --libexecdir=/usr/lib/squid \ --sysconfdir=$(sysconfdir) \ --localstatedir=/var/spool/squid \ --datadir=/usr/share/squid \ $(with_pthreads) \ $(with_netfilter) \ $(with_arp_acl) \ $(with_epoll) \ --enable-removal-policies=lru,heap \ --enable-snmp \ --enable-delay-pools \ --enable-htcp \ --enable-cache-digests \ --enable-underscores \ --enable-referer-log \ --enable-useragent-log \ --enable-auth="basic,digest,ntlm" \ --enable-carp \ --enable-follow-x-forwarded-for \ --with-large-files \ $(DEB_HOST_ARCH_CPU)-debian-$(DEB_HOST_ARCH_OS) [...]
Next go up one directory…
… and start the building process:
debuild -us -uc -b
Afterwards, go to the /usr/src directory…
… and run
You should find new Squid .deb packages:
server1:/usr/src# ls -l
drwxr-xr-x 15 root root 4096 2008-11-26 01:14 squid-2.6.5
-rw-r–r– 1 root src 273063 2008-11-26 00:41 squid_2.6.5-6etch4.diff.gz
-rw-r–r– 1 root src 432 2008-11-26 00:41 squid_2.6.5-6etch4.dsc
-rw-r–r– 1 root src 143884 2008-11-26 01:14 squid_2.6.5-6etch4_i386.build
-rw-r–r– 1 root src 1135 2008-11-26 01:14 squid_2.6.5-6etch4_i386.changes
-rw-r–r– 1 root src 655604 2008-11-26 01:14 squid_2.6.5-6etch4_i386.deb
-rw-r–r– 1 root src 1636886 2006-11-06 12:32 squid_2.6.5.orig.tar.gz
-rw-r–r– 1 root src 117120 2008-11-26 01:14 squid-cgi_2.6.5-6etch4_i386.deb
-rw-r–r– 1 root src 86132 2008-11-26 01:14 squidclient_2.6.5-6etch4_i386.deb
-rw-r–r– 1 root src 442218 2008-11-26 01:14 squid-common_2.6.5-6etch4_all.deb
Pick the squid and squid-common packages and install them as follows:
dpkg -i squid_2.6.5-6etch4_i386.deb squid-common_2.6.5-6etch4_all.deb
That’s it – now Squid supports X-Forwarded-For headers.
- Squid: http://www.squid-cache.org/
- Debian: http://www.debian.org/