On Tuesday 2012-12-18 08:45, Jack Bates wrote: >Do you have any advice how to discriminate traffic from clients from >traffic from our transparent proxy? > >Our proxy sends requests to origin servers with the same source address >as the request from the client, so we can do per-host traffic shaping >on our router. [What options are there?] I take it you might be using something like squid and tproxy. >But consequently I wonder how to discriminate client requests from proxy >requests, The origin servers can inspect the "Via:" HTTP request header to determine the presence of a proxy. There might be other headers your proxy server is emitting that you would normally not find in a pure client request. A second possibility, when proxy server and origin server are on the same Ethernet subnet, is to look at the L2 address. Of course the L2 addr can be "tproxified" as well, but usually is not worth doing. >and route the former to the proxy, but not route the latter. As you have noticed, if the original client address is used, routing topology/rules needs to be laid out such that packets to client addresses always pass through the proxy server machine in both directions. (This is the same prerequisite as for connection-tracked NAT.) -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
