Hi guys, I'm testing this feature, working like it should at the moment, great feature :)
For now, I've been testing with an inline Linux server using iptables
redirection. Both Netfilter REDIRECT and DNAT targets make this configuration
work.
My production setup won't have the Squid box inline. Another router will NAT
the flows to the Squid box. I know this works for HTTP because Squid can
extract the "host" information from request and contact the correct server, but
will bump-server-first work if the NAT is not done by Squid box itself ?!
Having looked at SSL handshake, no information is passed by the client to
indicate the remote host, so for now I guess Squid get the destination IP
information from Netfilter NAT mapping (The wiki says Squid don't use SNI).
Trying to look by myself, I found this correlates things above :
Ip/intercept.cc:
Ip::Intercept::NetfilterInterception(const Comm::ConnectionPointer &newConn,
int silent)
{
...
* Try NAT lookup for REDIRECT or DNAT targets. */
if ( getsockopt(newConn->fd, IPPROTO_IP, SO_ORIGINAL_DST, &lookup, &len) !=
0) {
if (!silent) {
debugs(89, DBG_IMPORTANT, HERE << " NF getsockopt(SO_ORIGINAL_DST)
failed on " << newConn << ": " << xstrerror());
lastReported_ = squid_curtime;
}
debugs(89, 9, HERE << "address: " << newConn);
return false;
} else {
newConn->local = lookup;
debugs(89, 5, HERE << "address NAT: " << newConn);
return true;
}
...
}
I'd like to know how Squid resolves the remote host when handling an
intercepted server-first bumped connection, so I'll be able to setup my network
accordingly.
Could some nice dev give some explanations on this/point to documentation ?
Regards,
[cid:[email protected]]
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
<<inline: image001.jpg>>
