Re: Transparent Reverse-Proxy with SSL?

Thu, 23 Jan 2014 02:58:17 -0800 

We have solved it. Here is our, well working, solution:

Trafficserver does ssl termination as usual. The port configuration looks like:
        443:ssl:tr-out

We use the following iptables rule:
          -A PREROUTING -i eth1 -m socket --transparent -j MARK \
                --set-xmark 0x2a/0xffffffff
eth1 is the interface to the origin systems in this case

And we had to configure the routing:
        ip rule add fwmark 42 lookup 100
        ip route add local 0.0.0.0/0 dev lo table 100

What we do with these settings:
If you configure a port with tr-out, TS will open the socket for the outgoing 
connection with the clients ip and the flag IP_TRANSPARENT set.

The iptables rule is looking for every incoming socket on our interface to the 
origin servers, if there is a matching socket listening. In addition the 
socket must have the IP_TRANSPARENT flag set. If it find one, the connection 
mark 42 is set.

The routing rules send all packages with the connmark 42 to the lo interface. 
The rest is up to the trafficserver.

We have testet this configuration and could not detect any problems.

Am Mittwoch, 22. Januar 2014, 14:30:09 schrieb Alan M. Carroll:
> I'll take a look at that and see if I remember what the problem is. Is the
> SSL terminating on the ATS proxy so that the ATS <-> origin server is not
> SSL?
> Wednesday, January 22, 2014, 3:46:31 AM, you wrote:
> > Hi all,
> > 
> > we want to use TS as a reverse-proxy for mutliple applications for caching
> > and SSL termination.
> > 
> > one of the applications does not know anything about Client-IP or
> > X-Forwarded- For headers. The IP of the Client is used for session
> > handling, so it is a security problem.
> > 
> > According to the documentation "tr-out" and "ssl" are not compatible.
> > 
> > Is there way to set up a outbound transparent proxy with SSL termination?
> > We don't need any inbound transparency.

-- 
Regards,
Thomas Berger
Piraten IT
--
Piratenpartei Deutschland - Pirate Party of Germany
Pflugstraße 9a, D-10115 Berlin, Germany

Vorstand: Thorsten Wirth, Carolin Mahn-Gauseweg,
Stefan Bartels, Stephanie Schmiedke, Veronique Schmitz,
Gefion Thürmer, Björn Niklas Semrau

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to