Determine which client proxies can be trusted to provide correct
information regarding real client IP address using PROXY protocol.
Requests may pass through a chain of several other proxies
before reaching us. The original source details may by sent in:
* HTTP message Forwarded header, or
* HTTP message X-Forwarded-For header, or
* PROXY protocol connection header.
This directive is solely for validating new PROXY protocol
connections received from a port flagged with require-proxy-header.
It is checked only once after TCP connection setup.
A deny match results in TCP connection closure.
An allow match is required for Squid to permit the corresponding
TCP connection, before Squid even looks for HTTP request headers.
If there is an allow match, Squid starts using PROXY header information
to determine the source address of the connection for all future ACL
checks, logging, etc.
SECURITY CONSIDERATIONS:
Any host from which we accept client IP details can place
incorrect information in the relevant header, and Squid
will use the incorrect information as if it were the
source address of the request. This may enable remote
hosts to bypass any access control restrictions that are
based on the client's source addresses.
This clause only supports fast acl types.
See https://wiki.squid-cache.org/SquidFaq/SquidAcl for details.