On 18/12/12 12:27 AM, Jan Engelhardt wrote:
On Tuesday 2012-12-18 08:45, Jack Bates wrote:
Do you have any advice how to discriminate traffic from clients from
traffic from our transparent proxy?
Our proxy sends requests to origin servers with the same source address
as the request from the client, so we can do per-host traffic shaping
on our router. [What options are there?]
I take it you might be using something like squid and tproxy.
You're right, we're using Apache Traffic Server and tproxy. Traffic
Server is configured with "CONFIG proxy.config.http.server_ports STRING
8080:tr-full" to make both connections to clients and connections to
origin servers transparent.
But consequently I wonder how to discriminate client requests from proxy
requests,
The origin servers can inspect the "Via:" HTTP request header to
determine the presence of a proxy. There might be other headers your
proxy server is emitting that you would normally not find in a pure
client request.
Interesting suggestion, I hadn't thought of inspecting the application
layer. I want our router (not the origin server) to discriminate between
requests from clients and requests from the proxy (to reroute the former
via the transparent proxy, but not the latter) so I had in mind teaching
iptables to recognize the difference.
We run Traffic Server as a forward proxy.
A second possibility, when proxy server and origin server are on the
same Ethernet subnet, is to look at the L2 address. Of course the L2
addr can be "tproxified" as well, but usually is not worth doing.
This is a possibility, with "iptables -m mac --mac-source ..." The proxy
and the router are on the same subnet. Are there any other options?
I tried adding a second IP to the router, as an alias, changing the
default gateway of the proxy to this other address, and matching traffic
from the proxy with "iptables -i br-lan:1" but I discovered that
--in-interface doesn't support aliases (I guess this makes sense,
traffic doesn't reference the IP of the next hop, so how can you tell
which alias it arrived on?)
and route the former to the proxy, but not route the latter.
As you have noticed, if the original client address is used, routing
topology/rules needs to be laid out such that packets to client
addresses always pass through the proxy server machine in both
directions. (This is the same prerequisite as for connection-tracked
NAT.)
Discriminating between responses from origin servers and responses from
the proxy is easier because the proxy is on a different router interface
than our internet connection, so I use the following to reroute
responses via the transparent proxy:
iptables -A PREROUTING -t mangle -i eth0.2 -p tcp --sport 80 -j MARK
--set-mark 1/1
ip rule add fwmark 1/1 table 1
ip route add table 1 via 192.168.1.35
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
