[squid-users] tproxy_uses_indirect_client from Steve Hill on 2012-12-20 (squid-users)

From: Steve Hill <steve_at_opendium.com>
Date: Thu, 20 Dec 2012 12:11:24 +0000

I'm trying to understand the purpose of the tproxy_uses_indirect_client
configuration directive and how to use it.

Given the following scenario:

A client (192.168.1.50) is sat behind a transparent proxy (lets call it
"proxy A" - 192.168.2.1). Proxy A has a parent proxy ("proxy B" -
192.168.3.1) and is therefore forwarding some (but possibly not all)
traffic to proxy B.

So, the client sends traffic to a web server (10.0.0.1). The connection
from the client looks like:
source: 192.168.1.50 -> dest: 10.0.0.1
This is intercepted by proxy A, which inserts an X-Forwarded-For header.

There are now 2 possible paths the traffic can take:
1. Direct to the web server:
The proxy spoofs the source address, so the output of the proxy and
traffic the web server sees is still:
source: 192.168.1.50 -> dest: 10.0.0.1

2. Via proxy B, so the output of proxy A is:
source: 192.168.2.1 -> dest: 192.168.3.1
Proxy B then handles the traffic and the web server sees:
source: 192.168.3.1 -> dest: 10.0.0.1

In (2), the traffic isn't being spoofed. If you want to enable
spoofing, the tproxy_uses_indirect_client configuration directive looks
promising - proxy B would be able to determine the client's address from
the XFF header and spoof it appropriately.

However, as far as I can tell, spoofing only ever gets turned on if the
client is connecting via a tproxy socket. But proxy A isn't going to be
connecting to proxy B via a tproxy socket, so I don't understand how the
tproxy_uses_indirect_client directive is supposed to be used.

Am I misunderstanding the purpose of this configuration directive?

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com
Direct contacts:
    Instant messager: xmpp:steve_at_opendium.com
    Email:            steve_at_opendium.com
    Phone:            sip:steve_at_opendium.com
Sales / enquiries contacts:
    Email:            sales_at_opendium.com
    Phone:            +44-844-9791439 / sip:sales_at_opendium.com
Support contacts:
    Email:            support_at_opendium.com
    Phone:            +44-844-4844916 / sip:support_at_opendium.com

Received on Thu Dec 20 2012 - 12:11:34 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 20 2012 - 12:00:05 MST