I'm trying to understand the purpose of the tproxy_uses_indirect_client
configuration directive and how to use it.
Given the following scenario:
A client (192.168.1.50) is sat behind a transparent proxy (lets call it
"proxy A" - 192.168.2.1). Proxy A has a parent proxy ("proxy B" -
192.168.3.1) and is therefore forwarding some (but possibly not all)
traffic to proxy B.
So, the client sends traffic to a web server (10.0.0.1). The connection
from the client looks like:
source: 192.168.1.50 -> dest: 10.0.0.1
This is intercepted by proxy A, which inserts an X-Forwarded-For header.
There are now 2 possible paths the traffic can take:
1. Direct to the web server:
The proxy spoofs the source address, so the output of the proxy and
traffic the web server sees is still:
source: 192.168.1.50 -> dest: 10.0.0.1
2. Via proxy B, so the output of proxy A is:
source: 192.168.2.1 -> dest: 192.168.3.1
Proxy B then handles the traffic and the web server sees:
source: 192.168.3.1 -> dest: 10.0.0.1
In (2), the traffic isn't being spoofed. If you want to enable
spoofing, the tproxy_uses_indirect_client configuration directive looks
promising - proxy B would be able to determine the client's address from
the XFF header and spoof it appropriately.
However, as far as I can tell, spoofing only ever gets turned on if the
client is connecting via a tproxy socket. But proxy A isn't going to be
connecting to proxy B via a tproxy socket, so I don't understand how the
tproxy_uses_indirect_client directive is supposed to be used.
Am I misunderstanding the purpose of this configuration directive?
-- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:steve_at_opendium.com Email: steve_at_opendium.com Phone: sip:steve_at_opendium.com Sales / enquiries contacts: Email: sales_at_opendium.com Phone: +44-844-9791439 / sip:sales_at_opendium.com Support contacts: Email: support_at_opendium.com Phone: +44-844-4844916 / sip:support_at_opendium.comReceived on Thu Dec 20 2012 - 12:11:34 MST
This archive was generated by hypermail 2.2.0 : Thu Dec 20 2012 - 12:00:05 MST