You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by "Alan M. Carroll" <am...@network-geographics.com> on 2010/04/18 18:04:46 UTC
Reverse proxy transparency
I read through the documentation on reverse proxy mode but didn't find the answer to my question, what IP address is used by ATS to connect to the origin servers, the client IP address or an address on an ATS interface? If the latter, is it presumed that served content is not dependent on the client IP address?
Re: Reverse proxy transparency
Posted by George Paul <ge...@apache.org>.
The HTTP+Net+ARM modules worked to provide "IP Spoofing" functionality.
However only the Net code remains while HTTP support has been removed
(ARM of course has been removed as mentioned earlier).
-George
On 4/18/10 1:25 PM, Alan M. Carroll wrote:
> Sunday, April 18, 2010, 3:15:16 PM, you wrote:
>
>> Maybe I'm missing something, but how would it work if you forge the
>> src-IP to the IP of the client?
>
> Yes, you would have to provide external routing support to make it
> work. It would not be possible where the origin servers are external.
>
>> I don't think we currently support such a setup, not sure how
>> easy or difficult it'd be to add.
>
> Actually, I am working on that for the forward direction and was
> interested to know if mechanisms were already in place for the
> reverse. I will take your reply to indicate not, although the lower
> level socket mechanisms do seem to have support for a "spoof IP"
> address.
>
Re: Reverse proxy transparency
Posted by "Alan M. Carroll" <am...@network-geographics.com>.
Sunday, April 18, 2010, 3:15:16 PM, you wrote:
> Maybe I'm missing something, but how would it work if you forge the
> src-IP to the IP of the client?
Yes, you would have to provide external routing support to make it
work. It would not be possible where the origin servers are external.
> I don't think we currently support such a setup, not sure how
> easy or difficult it'd be to add.
Actually, I am working on that for the forward direction and was
interested to know if mechanisms were already in place for the
reverse. I will take your reply to indicate not, although the lower
level socket mechanisms do seem to have support for a "spoof IP"
address.
Re: Reverse proxy transparency
Posted by Leif Hedstrom <zw...@apache.org>.
On 04/18/2010 10:04 AM, Alan M. Carroll wrote:
> I read through the documentation on reverse proxy mode but didn't find the answer to my question, what IP address is used by ATS to connect to the origin servers, the client IP address or an address on an ATS interface? If the latter, is it presumed that served content is not dependent on the client IP address?
>
Yeah, it'll be the IP of the interface that you route the outgoing
request on (by default).
Maybe I'm missing something, but how would it work if you forge the
src-IP to the IP of the client? The origin would then route back to the
client IP directly, which is not what you want. Unless of course you
have configured the origins too to route everything back via the ATS
server? (The latter sounds like inline routing as done in SLBs for
example). I don't think we currently support such a setup, not sure how
easy or difficult it'd be to add.
That much said, there are several headers available for making "ACLs"
based on the client IP. E.g. "Client-IP" and "X-Forwarded-For". Either
can obviously be forged, so you have to establish some sort of trust
relation between your origin and the ATS server, so that the Origin can
be certain that the header(s) is correct when coming from the ATS
server, and ignored when not.
-- Leif