Re: proxy ip

To: debian-user-french@lists.debian.org
Subject: Re: proxy ip
From: mrcapacci@free.fr
Date: Tue, 5 Oct 2004 11:52:20 +0200
Message-id: <[🔎] 1096969940.41626ed45ee93@imp2-q.free.fr>
In-reply-to: <[🔎] 20041005111246.4f8bbf3a@eric.placeverte.home>
References: <[🔎] 20041005095642.6298e593@eric.placeverte.home> <[🔎] 41625920.8090602@free.fr> <[🔎] 20041005111246.4f8bbf3a@eric.placeverte.home>

Quoting messmate <messmate@free.fr>:

> On Tue, 05 Oct 2004 10:19:44 +0200
> "Thomas W. Capacci" <mrcapacci@free.fr> wrote:
>
> >messmate wrote:
> >> Bonjour,
> >> j'ai un routeur/firewall/proxy pour mon petit réseau.
> >> Après vérification je me suis aperçu que l'IP de mes
> >> machines est visible de l'extérieur !
> >> Y-a-t-il un moyen d'éviter cela ? Peut-être à travers
> >> mon proxy en mettant une IP bidule ?
> >> Merçi d'avance
> >> mess-mate
> >>
> >>
> >>
> >en supposant que tu utilises squid tu peux indiquer
> >client_netmask 255.255.255.0
> >pour préserver l'anonymat des clients uniquement sur les requêtes au
> >proxy sinon tu peux utiliser le masquerading de ton firewall.
> >
> >--
> Je viens de controler après avoir changé la client_netmask et
> une réinit de squid.
> Mais l'ip de la machine est toujours là:
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/pla
> in;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1 Accept-Language:
> fr,en;q=0.8,ru;q=0.5,zh;q=0.3 Connection: keep-alive
> Host: www.grc.com
> Referer: http://www.grc.com/x/ne.dll?rh1dkyd2
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.6)
> Gecko/20040413 Debian/1.6-5 StumbleUpon/1.998 Content-Length: 32
> Content-Type: application/x-www-form-urlencoded
> Via: 1.1 mo.bidule.com:3128 (squid/2.5.STABLE5)
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> X-Forwarded-For: 192.168.xx.xx
> Cache-Control: max-age=259200
> Secure: https://www.grc.com
> Nonsecure: http://www.grc.com
> MediaPort: 8094
>
> (j'ai remplacé l'ip par des xx )
> mess-mate
>
>

A priori Squid fait tout le temps ainsi, bizarre alors à quoi sert le client
netmask?
Si tu speak english, il semble que tu puisses remplacer les ips par "unknown" en
disabling forwarded for dans squid.conf:
What is ``HTTP_X_FORWARDED_FOR''? Why does squid provide it to WWW servers, and
how can I stop it?

When a proxy-cache is used, a server does not see the connection coming from the
originating client. Many people like to implement access controls based on the
client address. To accommodate these people, Squid adds its own request header
called "X-Forwarded-For" which looks like this:

        X-Forwarded-For: 128.138.243.150, unknown, 192.52.106.30

Entries are always IP addresses, or the word unknown if the address could not be
determined or if it has been disabled with the forwarded_for configuration
option.

We must note that access controls based on this header are extremely weak and
simple to fake. Anyone may hand-enter a request with any IP address whatsoever.
This is perhaps the reason why client IP addresses have been omitted from the
HTTP/1.1 specification.

Reply to:

Follow-Ups:
- Re: proxy ip
  - From: messmate <messmate@free.fr>

References:
- proxy ip
  - From: messmate <messmate@free.fr>
- Re: proxy ip
  - From: "Thomas W. Capacci" <mrcapacci@free.fr>
- Re: proxy ip
  - From: messmate <messmate@free.fr>

Prev by Date: Re: startx..., Pb:(!
Next by Date: Re: impression avec gimp2 sur sarge
Previous by thread: Re: proxy ip
Next by thread: Re: proxy ip
Index(es):
- Date
- Thread