On 6/6/2013 8:01 PM, Brian Candler wrote: > It seems to me they could have added something like a SOCKS5 header at > the front of the stream to carry the source information. Essentially, that is what they did, only they made up their own header and expected everyone to justuse it. > You could distinguish it from a direct connection by listening on a > different port (like http/https). That's not pretty, but better than > wasting an IP address. And you'd still want to firewall that port from > connections from anywhere except your trusted proxy, for obvious reasons. They specify two ways.
The main text of their specification suggests wasting an IP address and creating hard to maintain firewall rules. A note near the end provides the better solution: Server listens on one IP address and port. Server has a configured list of trusted proxy IPs. If the connectionis from a trusted IP, expect and demand the extra header, otherwise reject and ignore the extra header. > > Also: if you're going to invent a new protocol for this, then you should > make it stackable so that a request can be forwarded through a variable > number of proxies, and the final endpoint can decode the path that the > forwarding took. Their protocol is explicitly stackable: Each proxy may act as a server and accept the information from its upstream, then forward that in place of its own information. They claim to have already implemented that in their own proxy. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
