Squid: disable X-Forwarded-For, but only for specific ACLs

squidx-forwarded-for

I know, that I can turn off X-Forwarded-For header in Squid completley by using directive "forwarded_for off" or "forwarded_for delete" globally. I would like to be able to disable that header only for specific ACLs, so I can disable this header only for given URLs and have it enabled for others. Is there any way to do that?

Best Answer

You can create an ACL based on an external file to store URLs (easier to manage in my opinion) :

acl NoXForwardedFor dstdomain "/etc/squid/NoXForwardedFor.txt"

The content of /etc/squid/NoXForwardedFor.txt would be something like this :

.serverfault.com
.superuser.com
.stackoverflow.com

Then remove X-Forwarded-From from the header for the given ACL :

request_header_access X-Forwarded-For deny NoXForwardedFor

Note : You can use the dst directive instead of the dstdomain directive. But it requires URL host's IP address, so make sure the target domain has fixed ip address(es).

Maybe some useful links for deeper understanding :

Related Solutions

Squid – Remove X-Forwarded-For Header

Here's the full list you need:-

via off
forwarded_for off
follow_x_forwarded_for deny all
request_header_access X-Forwarded-For deny all
header_access X_Forwarded_For deny all

Tomcat – Overriding the X-Forwarded-For header in haproxy

Tear it off the request header, before HAProxy adds its own:

reqidel ^X-Forwarded-For:.*

The risk to this change is that you'll lose your information about the "real" client IP address - your logs will then be showing the IP of the proxy server that the client is using. Sounds like you're ok with that!

As an aside, see this question for some interesting info on confusion over the append order of the X-Forwarded-For header.

Best Answer

Related Solutions

Squid – Remove X-Forwarded-For Header

Tomcat – Overriding the X-Forwarded-For header in haproxy

Related Topic