hello Junyong Jiang
client <-----conn 1-----> tproxy <----- conn 2 ------> web server
211.x br0 : 10.a
10.b
as you know previously, there are 2 connections,
one is the connection between client and tproxy and the other is between tproxy
and web server
and if you configure bridged's IP address, tproxy server binds with this
address and random ports and
make connection with a client and server with this bridged IP address
but during run time, web server receives some packets whose source address is
real client address (211.x)
how about check out proxy_util.c .. modules/proxy/proxy_util.c
//------------ snip ----------------------//
here! /* use bridged IP address as binding address */
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr (conf->tproxy_ifaddr);
sin.sin_port = 0;
if(bind(dst->fd, (struct sockaddr *) &sin, sizeof(sin)) == -1) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"%s/%d Z-linuxpark-2: Error bind (): [ifaddr:%s]: %d:%s\n",
__FUNCTION__, __LINE__, conf->tproxy_ifaddr, errno,
strerror (errno));
return -2;
}
here! /* use client address as source address using SOL_IP ipv4 socket
option */
itp.op = TPROXY_ASSIGN;
itp.v.addr.faddr = src->addr.sin_addr;
itp.v.addr.fport = ntohs (src->addr.sin_port);
ret = setsockopt(dst->fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
if (ret < 0 ) {
#if 0
if (errno == EADDRINUSE)
goto exit;
#endif
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"%s/%d Z-linuxpark-3: Error setsockopt (): %d:%s: "
"[fd: %d, src: %u.%u.%u.%u port(%d)] \n",
__FUNCTION__, __LINE__, errno, strerror (errno),
dst->fd,
NIPQUAD (src->addr.sin_addr.s_addr), src->addr.sin_port);
return -3;
}
and then try to connect !
itp.op = TPROXY_FLAGS;
itp.v.flags = ITP_CONNECT;
ret = setsockopt(dst->fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
if (ret < 0 ) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"%s/%d Z-linuxpark-4: Error setsockopt (): %d:%s\n",
__FUNCTION__, __LINE__, errno, strerror (errno));
return -4;
}
//------------ snip ----------------------//
----- Original Message -----
From: Junyong Jiang
To: JeHo Park
Sent: Thursday, August 05, 2010 11:26 AM
Subject: Re: [PATCH] tproxy2 patch to the apache 2.2.15
So I know!
In this case, what's the use of the bridge's IP address?
2010/8/5 JeHo Park <jhp...@elim.net>
Junyong Jiang, previous my reply included wrong sentence, so i fixed it !
as you know, in transparent proxy mode [or in the tproxy mode], backend
server receives a packet whose source address is real client address
if you set your proxy box as NAT mode, backend server receives a packet
whose source address is the proxy server's bridge IP.
so if you set up my tproxy httpd correctly, backend server will receive a
packet whose source address is real client address
thanks~
----- Original Message -----
From: Junyong Jiang
To: jhp...@elim.net
Sent: Thursday, August 05, 2010 9:57 AM
Subject: Re: [PATCH] tproxy2 patch to the apache 2.2.15
Hello Park,
I want to ask you one more question. In you test of the apache tproxy
mode, on the backend server( that means the real web server), what is the
source IP address? Is it the real client's or the proxy server's bridge IP?
Thanks!
2010/8/5 JeHo Park <jhp...@elim.net>
hello clere
----- Original Message -----
From: "jean-frederic clere" <jfcl...@gmail.com>
To: <dev@httpd.apache.org>
Sent: Wednesday, August 04, 2010 5:32 PM
Subject: Re: [PATCH] tproxy2 patch to the apache 2.2.15
> On 08/03/2010 04:57 PM, JeHo Park wrote:
>> hello ~
>> it's my first mail to apache dev .. and i am beginner of the apache.
:-)
>
> Interesting stuff... But:
> - The machine depend stuff in httpd usually goes to APR. (I would add
> the logic to APR and have a HAVE_APR_TPROXY*).
i absolutely understood what you said
> - The kernel is nice but was it accepted in the current kernels? If
yes
> since when?
no, i just ported tproxy2 kernel patch [refer the linke below] to the
CentOS kernel 2.6.18-194.el5
the mainstream of linux kernel applied tproxy4 from the version 2.6.24
but tproxy2 had not been applied ..
http://www.balabit.com/downloads/files/tproxy/
> - Without the performance results it is hard to see if it is worth the
> effort.
>
please check the link below
http://211.174.184.69/kisa-avalanche2900-20100712
and the test-result.ppt files shows the summarized result of the
performance test and etc
> Cheers
>
> Jean-Frederic
