On 29.11.12 11:08, Amos Jeffries wrote:
> Was it you that mentioned elsewhere you were trying to avoid TPROXY
> because you had internal web servers? cache_peer can point directly at
> the internal servers to avoid having an extra proxy hop. The cache_peer
> no-tproxy option was added for exactly this scenario. TPROXY spoofing is
> only mandatory on DIRECT traffic at present.
It was indeed me. I know that the cache_peer can be tweaked to disable
spoofing for specific servers, but this is a bit of a management
nightmare to maintain a list of all possible internal machines (these
servers are deployed on customer sites and would involve the customer
liaising with us every time they add/remove a server from their network,
which isn't really feasible).
My take on it is that we gain absolutely nothing from the spoofing
behaviour, since all internet-bound traffic is going to be NATted to a
single IP anyway, and all local traffic needs to be unspoofed for
routing reasons, so the sensible option is to just disable it entirely.
From the code it does look like this is reasonably easy to do, so may
be my next job. In the long run, it would probably be good to have an
ACL to control whether or not to spoof though.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:steve_at_opendium.com
Email: steve_at_opendium.com
Phone: sip:steve_at_opendium.com
Sales / enquiries contacts:
Email: sales_at_opendium.com
Phone: +44-844-9791439 / sip:sales_at_opendium.com
Support contacts:
Email: support_at_opendium.com
Phone: +44-844-4844916 / sip:support_at_opendium.com
Received on Thu Nov 29 2012 - 12:40:18 MST
This archive was generated by hypermail 2.2.0 : Thu Nov 29 2012 - 12:00:09 MST