On Tue, 15 Sep 2009 01:31:08 +0200, Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx> wrote: > lör 2009-09-12 klockan 16:50 +1200 skrev Amos Jeffries: > >> No its not. >> >> accel mode == reverse proxy == squid pretending to be a web server. >> >> tproxy == squid pretending not to be there. > > But why is that? There is not really any technical reason why not TPROXY > can be used in reverse proxy mode as well for spoofing the client IP. > > In TPROXY (kernel) there is not really any connection between having an > tproxy-intercepted incoming connection and the spoofing of the source IP > on an outgoing connection. The big reason is that TPROXY passes the IPs to Squid inverted via accept(). There is no probe like the NAT ORIGINAL_DST to separate the TPROXY and non-TPROXY received connections. The only way to identify this IP inversion is the flags in squid.conf. TPROXY then kicks in the transparent mode flag. Which does URL reconstruction without the defaultsite= vhost vport operations being done. Since they are the main benefits of accel mode over plain tproxy mode.... Amos