Search squid archive

Re: Is it possible to set tproxy at httpd-accel mode?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 15 Sep 2009 01:31:08 +0200, Henrik Nordstrom
<henrik@xxxxxxxxxxxxxxxxxxx> wrote:
> lör 2009-09-12 klockan 16:50 +1200 skrev Amos Jeffries:
> 
>> No its not.
>> 
>> accel mode == reverse proxy == squid pretending to be a web server.
>> 
>> tproxy == squid pretending not to be there.
> 
> But why is that? There is not really any technical reason why not TPROXY
> can be used in reverse proxy mode as well for spoofing the client IP.
> 
> In TPROXY (kernel) there is not really any connection between having an
> tproxy-intercepted incoming connection and the spoofing of the source IP
> on an outgoing connection.

The big reason is that TPROXY passes the IPs to Squid inverted via
accept(). There is no probe like the NAT ORIGINAL_DST to separate the
TPROXY and non-TPROXY received connections. The only way to identify this
IP inversion is the flags in squid.conf.

TPROXY then kicks in the transparent mode flag. Which does URL
reconstruction without the defaultsite= vhost vport operations being done.
Since they are the main benefits of accel mode over plain tproxy mode....

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux