On Tue, 15 Sep 2009 01:31:08 +0200, Henrik Nordstrom
<henrik_at_henriknordstrom.net> wrote:
> lör 2009-09-12 klockan 16:50 +1200 skrev Amos Jeffries:
>
>> No its not.
>>
>> accel mode == reverse proxy == squid pretending to be a web server.
>>
>> tproxy == squid pretending not to be there.
>
> But why is that? There is not really any technical reason why not TPROXY
> can be used in reverse proxy mode as well for spoofing the client IP.
>
> In TPROXY (kernel) there is not really any connection between having an
> tproxy-intercepted incoming connection and the spoofing of the source IP
> on an outgoing connection.
The big reason is that TPROXY passes the IPs to Squid inverted via
accept(). There is no probe like the NAT ORIGINAL_DST to separate the
TPROXY and non-TPROXY received connections. The only way to identify this
IP inversion is the flags in squid.conf.
TPROXY then kicks in the transparent mode flag. Which does URL
reconstruction without the defaultsite= vhost vport operations being done.
Since they are the main benefits of accel mode over plain tproxy mode....
Amos
Received on Tue Sep 15 2009 - 00:28:12 MDT
This archive was generated by hypermail 2.2.0 : Tue Sep 15 2009 - 12:00:02 MDT