tor 2003-03-06 klockan 11.57 skrev Gianni Tedesco:
> Hi Henrik,
>
> I recall speaking to you a long while ago about adding full transparent
> proxy support in squid (ie: connecting to the server with the source
> address of the client). This solves problems when using squid as a
> back-proxy with webservers that cannot log X-Forwarded-for headers
> in-place of source IP address (IIS).
>
> Anyway, my employer is now donating my time for doing that work. I have
> already written other transparent proxy applications using Linux
> netfilter transparent proxy code.
>
> I see that squid already grabs the original destination address and pays
> attention to it. For the second part, I was thinking of just adding a
> new config directive 'totally_transparent on' or something, making that
> option incompatible with server persistant connections (by bailing with
> an error if the user does that) and then just adding some code in the
> http sever connect code to do the transparent 'connect from
> ConnStateData.peer' magic.
>
> Does all this sound feasible to you? Is there some other way you would
> like me to do it, some problem I should be aware of? Or is it such a
> fringe feature that you just don't care? ;)
Yes, certainly a feasible task.
I do not really see any major problems in implementation, except that
for maintenance reasons this should be done based on Squid-HEAD if
possible (what will become Squid-3.0).. the current networking code is
substantially different from the earlier Squid-2.5 code..
You have already mentioned persistent connections. As you say server
side persistent connections should be disabled in such setup until Squid
has connection pinning (ability to make client and server side
connections related to each other). Connection pinning would solve this
issue and would make the proxy much more transparent, including also
allowing for Microsoft NTLM/Negotiate authentication to be transparently
proxied.
Another thing you might want to look into at the same time is making
Squid use the original destination IP address instead of the host name.
This has some minor complications in cache consistency, but if the cache
key is changed to include the IP address in addition to the host name on
such requests it should not be a problem. Today the IP address is only
used if there is no Host header in the request. This because the
information is used when reconstructing the requested URL, not for
forwarding the request.
-- Henrik Nordstrom <hno@squid-cache.org> MARA Systems AB, SwedenReceived on Thu Mar 06 2003 - 04:27:25 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:24 MST