On 04/18/2010 10:04 AM, Alan M. Carroll wrote:
I read through the documentation on reverse proxy mode but didn't find the answer to my question, what IP address is used by ATS to connect to the origin servers, the client IP address or an address on an ATS interface? If the latter, is it presumed that served content is not dependent on the client IP address?
Yeah, it'll be the IP of the interface that you route the outgoing request on (by default).
Maybe I'm missing something, but how would it work if you forge the src-IP to the IP of the client? The origin would then route back to the client IP directly, which is not what you want. Unless of course you have configured the origins too to route everything back via the ATS server? (The latter sounds like inline routing as done in SLBs for example). I don't think we currently support such a setup, not sure how easy or difficult it'd be to add.
That much said, there are several headers available for making "ACLs" based on the client IP. E.g. "Client-IP" and "X-Forwarded-For". Either can obviously be forged, so you have to establish some sort of trust relation between your origin and the ATS server, so that the Origin can be certain that the header(s) is correct when coming from the ATS server, and ignored when not.
-- Leif
