Hi,
Let's just add that for Apache there is a module
(mod_extract_forwarded) that will replace the remote endpoint of the
connection by the IP inserted by pound in X-Forwarded-For in the
usual places (REMOTE_ADDR, logging, etc.), so once that module is
installed and configured, there is no need to change anything in apps
running on the server.
There are probably equivalent things for other http servers.
Jacques.
At 07:48 20/10/2009, Jean-Pierre van Melis wrote:
Your backends receive all their info from your proxy and see your
proxy as the original sender.
Luckily there's something like a forwarded-for header which is
inserted by pound.
You need to modify your backend so it will not show the IP where
it's coming from, but this header which is inserted by pound.
If, for instance, you have a simple application running on your
webserver which does something with the sender IP, this application
needs to use this forwarded-for header instead of the normal header.
You may say, easy enough.... modify that too.. But this website may
be owned by a third party which had its website developed and
running on another server and all of a sudden things don't work as
expected anymore after it moved to this backend which is behind pound.
All this is not necessary. With TPROXY pound can be made into a true
transparent proxy. Although the http-traffic travels through the
proxy they are delivered to the backends in IP-packets which have
the original IP in them. The backend will think the traffic is
coming from the Internet instead of the proxy.
For this to work it needs to work together with the gateway. If the
backend thinks that http-data is coming from the Internet it will
answer to that address as well. It will give this data to the
gateway and tells it to send it to the Internet. The gateway knows
that in fact it shouldn't do this but send it to the proxy instead
which will send that packet to the gateway again. This time the
gateway knows it should really send it to the Internet and now the
http-request has been answered...
For all this to work we need a modified pound and a mechanism on the
gateway which facilitates this.
-----Oorspronkelijk bericht-----
Van: news [mailto:[email protected]] Namens Eric B.
Verzonden: dinsdag 20 oktober 2009 5:33
Aan: [email protected]
Onderwerp: Re: [Pound Mailing List] TPROXY
Hi,
I'm a bit confused by your statement. Can you explain what you mean by you
need to configure the backends to they are listening to a proxy and not the
real client?
I'm using Pound as a proxy in front of a Tomcat server, and I have made no
changes to the Tomcat configuration (except the logging) to accoutn for
Pound. Do I need to do something additional?
Thanks,
Eric
"Jean-Pierre van Melis" <[email protected]> wrote
in message news:[email protected]...
Is there some chance this TPROXY can get in the main code?
Having a transparent proxy makes it so much more powerful...
I'm sure it can be made it's not getting in the way of those using a classic
proxy.
I'm running pound on my router which is also the gateway of my network and
having a transparent proxy means I do not have to change the logging of my
webserver.
Even if you changed the logging.. it still isn't the same as all the
backends need to be made aware they are in fact listening to a proxy and not
to the real client....
--
To unsubscribe send an email with subject unsubscribe to
[email protected].
Please contact [email protected] for questions.
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
