Reverse proxy transparency

["Alan M. Carroll" <am...@network-geographics.com>]

I read through the documentation on reverse proxy mode but didn't find the answer to my question, what IP address is used by ATS to connect to the origin servers, the client IP address or an address on an ATS interface? If the latter, is it presumed that served content is not dependent on the client IP address?

Re: Reverse proxy transparency

[George Paul <ge...@apache.org>]

The HTTP+Net+ARM modules worked to provide "IP Spoofing" functionality.
However only the Net code remains while HTTP support has been removed
(ARM of course has been removed as mentioned earlier).

-George

On 4/18/10 1:25 PM, Alan M. Carroll wrote:
> Sunday, April 18, 2010, 3:15:16 PM, you wrote:
> 
>> Maybe I'm missing something, but how would it work if you forge the 
>> src-IP to the IP of the client?
> 
> Yes, you would have to provide external routing support to make it 
> work. It would not be possible where the origin servers are external.
> 
>> I don't think we currently support such a setup, not sure how
>> easy or difficult it'd be to add.
> 
> Actually, I am working on that for the forward direction and was 
> interested to know if mechanisms were already in place for the 
> reverse. I will take your reply to indicate not, although the lower 
> level socket mechanisms do seem to have support for a "spoof IP" 
> address.
> 

Re: Reverse proxy transparency

["Alan M. Carroll" <am...@network-geographics.com>]

Sunday, April 18, 2010, 3:15:16 PM, you wrote:

> Maybe I'm missing something, but how would it work if you forge the 
> src-IP to the IP of the client?

Yes, you would have to provide external routing support to make it 
work. It would not be possible where the origin servers are external.

> I don't think we currently support such a setup, not sure how
> easy or difficult it'd be to add.

Actually, I am working on that for the forward direction and was 
interested to know if mechanisms were already in place for the 
reverse. I will take your reply to indicate not, although the lower 
level socket mechanisms do seem to have support for a "spoof IP" 
address.

Re: Reverse proxy transparency

[Leif Hedstrom <zw...@apache.org>]

On 04/18/2010 10:04 AM, Alan M. Carroll wrote:
> I read through the documentation on reverse proxy mode but didn't find the answer to my question, what IP address is used by ATS to connect to the origin servers, the client IP address or an address on an ATS interface? If the latter, is it presumed that served content is not dependent on the client IP address?
>    

Yeah, it'll be the IP of the interface that you route the outgoing 
request on (by default).

Maybe I'm missing something, but how would it work if you forge the 
src-IP to the IP of the client? The origin would then route back to the 
client IP directly, which is not what you want. Unless of course you 
have configured the origins too to route everything back via the ATS 
server? (The latter sounds like inline routing as done in SLBs for 
example). I don't think we currently support such a setup, not sure how 
easy or difficult it'd be to add.

That much said, there are several headers available for making "ACLs" 
based on the client IP. E.g. "Client-IP" and "X-Forwarded-For". Either 
can obviously be forged, so you have to establish some sort of trust 
relation between your origin and the ATS server, so that the Origin can 
be certain that the header(s) is correct when coming from the ATS 
server, and ignored when not.

-- Leif