On 29.11.12 11:08, Amos Jeffries wrote:
Was it you that mentioned elsewhere you were trying to avoid TPROXY because you had internal web servers? cache_peer can point directly at the internal servers to avoid having an extra proxy hop. The cache_peer no-tproxy option was added for exactly this scenario. TPROXY spoofing is only mandatory on DIRECT traffic at present.
It was indeed me. I know that the cache_peer can be tweaked to disable spoofing for specific servers, but this is a bit of a management nightmare to maintain a list of all possible internal machines (these servers are deployed on customer sites and would involve the customer liaising with us every time they add/remove a server from their network, which isn't really feasible).
My take on it is that we gain absolutely nothing from the spoofing behaviour, since all internet-bound traffic is going to be NATted to a single IP anyway, and all local traffic needs to be unspoofed for routing reasons, so the sensible option is to just disable it entirely. From the code it does look like this is reasonably easy to do, so may be my next job. In the long run, it would probably be good to have an ACL to control whether or not to spoof though.
-- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:[email protected] Email: [email protected] Phone: sip:[email protected] Sales / enquiries contacts: Email: [email protected] Phone: +44-844-9791439 / sip:[email protected] Support contacts: Email: [email protected] Phone: +44-844-4844916 / sip:[email protected]
