RE: [squid-users] Is it possible to set tproxy at httpd-accel mode?

From: MontyRee <chulmin2_at_hotmail.com>
Date: Mon, 14 Sep 2009 17:57:11 +0000

Thanks for your answer.
 
But in case of Commercial Web Application Firewall(WAF),
I found that tproxy was installed and some daemon like squid to filter the
web traffic transparently.
and the real client ip is seen at the origin server.
  
Is it a different case?
 
 
Thanks for your comments.
 
 
> MontyRee wrote:
>> Hello, all.
>>
>> I saw much useful function named tproxy.
>> So pleaase check below is possible or not.
>>
>>
>> Client(192.168.3.2) ==> http-accelerator mode squid(10.10.1.2) ==> apache web server(10.10.1.1)
>>
>> When I see the log file at apache, only cache(10.10.1.2) ip will be seen without regard to clients.
>> but when I set tproxy at squid server,I can see the real client IPs, right?
>>
>> then how can I set iptables rule at squid server(10.10.1.2)?
>> It seems that most examples are for forward proxy not httpd-accel mode.
>>
>> http://wiki.squid-cache.org/ConfigExamples/
>>
>> I know that "HTTP_X_FORWARDED_FOR'" would be possible,
>> but I don't want it. Please share how to set tproxy for accel mode.
>>
>>
>> Thanks in advance.
>>
>
> No its not.
>
> accel mode == reverse proxy == squid pretending to be a web server.
>
> tproxy == squid pretending not to be there.
>
> When Squid pretends not to be there it cannot perform the actions needed
> to make it look like a web server.
>
> X-Forwarded-For is the way to do this. Whether you want to do it that
> way or not. Its the way you get the real client IP through the various
> middleware proxies already passing traffic from box to box around the
> Internet in a www version of NAT.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19
> Current Beta Squid 3.1.0.13
_________________________________________________________________
¹«·Á~! 25GB³ª µÇ´Â ½ºÄ«À̵å¶óÀ̺ê! ÀÚ¼¼ÇÑ »ç¿ë ¹æ¹ýÀ» ¾Ë·Á µå¸³´Ï´Ù.
http://im.msn.co.kr/im/main/mainCoverDetail.asp?BbsCode=bbs01&Seq=3136
Received on Mon Sep 14 2009 - 17:57:18 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 15 2009 - 12:00:02 MDT