Re: [squid-users] Is it possible to set tproxy at httpd-accel mode?

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Tue, 15 Sep 2009 08:00:46 +0200

tis 2009-09-15 klockan 14:43 +1200 skrev Amos Jeffries:

> > Yes, but here we are talking about the other side, when Squid makes the
> > outgoing connection. That part do not need to depend in any way on how
>
> We are talking about setting http_port (incoming) options. Or so I thought.

I am not sure where such setting belongs, but probably not http_port as
it does not really have to do with how the request is accepted only with
how it's forwarded.

> That would be some other functionality not related to what the existing
> http_port tproxy flag does. Spoofing without handling inbound spoofed
> requests. IMO it is as nice to use as a certain login function turned out
> to be.

Exactly.

> You can try it I suppose. I suspect there is likely some kernel
> implementation bits that prevent random IP spoofing though. The only limit
> in Squid is that spoof_client_ip flag must be set before tcp outgoing
> address is selected.

The only limit I know of is that the application needs to have the
appropriate privileges, and TPROXY needs to be enabled in the kernel
obviously.

Regards
Henrik
Received on Tue Sep 15 2009 - 06:00:50 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 15 2009 - 12:00:02 MDT