The whole idea about transparency is there's no need to change anything in backends. No need to reconfigure anything. You can also ad-hoc decide to let the traffic go directly. All traffic appears just as if it's coming from the Internet. Just like all traffic from your NAT-router appears to be coming from the Internet.
-----Oorspronkelijk bericht----- Van: Jacques Caron [mailto:[email protected]] Verzonden: dinsdag 20 oktober 2009 13:50 Aan: [email protected] Onderwerp: RE: [Pound Mailing List] TPROXY Hi, Let's just add that for Apache there is a module (mod_extract_forwarded) that will replace the remote endpoint of the connection by the IP inserted by pound in X-Forwarded-For in the usual places (REMOTE_ADDR, logging, etc.), so once that module is installed and configured, there is no need to change anything in apps running on the server. There are probably equivalent things for other http servers. Jacques. At 07:48 20/10/2009, Jean-Pierre van Melis wrote: >Your backends receive all their info from your proxy and see your >proxy as the original sender. >Luckily there's something like a forwarded-for header which is >inserted by pound. >You need to modify your backend so it will not show the IP where >it's coming from, but this header which is inserted by pound. > >If, for instance, you have a simple application running on your >webserver which does something with the sender IP, this application >needs to use this forwarded-for header instead of the normal header. >You may say, easy enough.... modify that too.. But this website may >be owned by a third party which had its website developed and >running on another server and all of a sudden things don't work as >expected anymore after it moved to this backend which is behind pound. > >All this is not necessary. With TPROXY pound can be made into a true >transparent proxy. Although the http-traffic travels through the >proxy they are delivered to the backends in IP-packets which have >the original IP in them. The backend will think the traffic is >coming from the Internet instead of the proxy. > >For this to work it needs to work together with the gateway. If the >backend thinks that http-data is coming from the Internet it will >answer to that address as well. It will give this data to the >gateway and tells it to send it to the Internet. The gateway knows >that in fact it shouldn't do this but send it to the proxy instead >which will send that packet to the gateway again. This time the >gateway knows it should really send it to the Internet and now the >http-request has been answered... > >For all this to work we need a modified pound and a mechanism on the >gateway which facilitates this. > > >-----Oorspronkelijk bericht----- >Van: news [mailto:[email protected]] Namens Eric B. >Verzonden: dinsdag 20 oktober 2009 5:33 >Aan: [email protected] >Onderwerp: Re: [Pound Mailing List] TPROXY > >Hi, > >I'm a bit confused by your statement. Can you explain what you mean by you >need to configure the backends to they are listening to a proxy and not the >real client? > >I'm using Pound as a proxy in front of a Tomcat server, and I have made no >changes to the Tomcat configuration (except the logging) to accoutn for >Pound. Do I need to do something additional? > >Thanks, > >Eric > > >"Jean-Pierre van Melis" <[email protected]> wrote >in message news:[email protected]... >Is there some chance this TPROXY can get in the main code? >Having a transparent proxy makes it so much more powerful... >I'm sure it can be made it's not getting in the way of those using a classic >proxy. > >I'm running pound on my router which is also the gateway of my network and >having a transparent proxy means I do not have to change the logging of my >webserver. >Even if you changed the logging.. it still isn't the same as all the >backends need to be made aware they are in fact listening to a proxy and not >to the real client.... > > > >-- >To unsubscribe send an email with subject unsubscribe to >[email protected]. >Please contact [email protected] for questions. > > > > >-- >To unsubscribe send an email with subject unsubscribe to [email protected]. >Please contact [email protected] for questions. > > > >-- >To unsubscribe send an email with subject unsubscribe to [email protected]. >Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
