I'm trying to understand the purpose of the tproxy_uses_indirect_client
configuration directive and how to use it.
Given the following scenario:
A client (192.168.1.50) is sat behind a transparent proxy (lets call it
"proxy A" - 192.168.2.1). Proxy A has a parent proxy ("proxy B" -
192.168.3.1) and is therefore forwarding some (but possibly not all)
traffic to proxy B.
So, the client sends traffic to a web server (10.0.0.1). The connection
from the client looks like:
source: 192.168.1.50 -> dest: 10.0.0.1
This is intercepted by proxy A, which inserts an X-Forwarded-For header.
There are now 2 possible paths the traffic can take:
1. Direct to the web server:
The proxy spoofs the source address, so the output of the proxy and
traffic the web server sees is still:
source: 192.168.1.50 -> dest: 10.0.0.1
2. Via proxy B, so the output of proxy A is:
source: 192.168.2.1 -> dest: 192.168.3.1
Proxy B then handles the traffic and the web server sees:
source: 192.168.3.1 -> dest: 10.0.0.1
In (2), the traffic isn't being spoofed. If you want to enable
spoofing, the tproxy_uses_indirect_client configuration directive looks
promising - proxy B would be able to determine the client's address from
the XFF header and spoof it appropriately.
However, as far as I can tell, spoofing only ever gets turned on if the
client is connecting via a tproxy socket. But proxy A isn't going to be
connecting to proxy B via a tproxy socket, so I don't understand how the
tproxy_uses_indirect_client directive is supposed to be used.
Am I misunderstanding the purpose of this configuration directive?
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:steve@xxxxxxxxxxxx
Email: steve@xxxxxxxxxxxx
Phone: sip:steve@xxxxxxxxxxxx
Sales / enquiries contacts:
Email: sales@xxxxxxxxxxxx
Phone: +44-844-9791439 / sip:sales@xxxxxxxxxxxx
Support contacts:
Email: support@xxxxxxxxxxxx
Phone: +44-844-4844916 / sip:support@xxxxxxxxxxxx
