The best bet seems to be stunnel's -T:
http://www.stunnel.org/faq/transparent.html
Which mentions that Solaris can do it as well as special hacks for Linux.
It seems to use LD_PRELOAD to call ioctl(IP_TPROXY_ASSIGN,..) (iptable hack?)
followed by "IP_TPROXY_FLAGS setsockopt with a flags value of ITP_CONNECT.". I'm
unsure if this refers only to a specific Linux hack or if it is the general
solution. Neither ioctl exist on Solaris here.
It is possible that, if you run "stunnel" on the application server
(192.168.1.0/24 hosts in my example) and by using LD_PRELOAD, they can overload
getpeername() and accept(), to supply in the real address.
But to me that still feels very hacky. It would be more desirable if you could
make a competing "black box" solution with IPFilter+SSL, and not require the SSL
overhead on the client servers at all (which is one of the points of SSL
accellerators).
Lund
Carson Gaspar wrote:
--On Wednesday, May 17, 2006 9:19 AM +0900 Jorgen Lundman
<[EMAIL PROTECTED]> wrote:
Don't know about squid. But stunnel -T certainly can do it, but it
naturally needs kernel patch to be allowed to specify the peer IP when
RDRing the packet. I don't think IPFilter lets stunnel do this as is.
I think it does. I'd have to check the API to be sure though - it's been
a while since I abandoned my user-space FTP proxy. And it may require
privs for the IOCTL.
--
Jorgen Lundman | <[EMAIL PROTECTED]>
Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell)
Japan | +81 (0)3 -3375-1767 (home)
