Jonathan Hilgeman <[EMAIL PROTECTED]> wrote:
>Okay, after I think about it, there must be a way to identify a unique user,
>even if they are behind a firewall. Let's run through this process:
>
>1) Person behind the firewall sends out a request to a web server.
>2) The firewall intercepts that request, masks the person's IP address and
>lets the request keep going out.
>3) The web server receives the request and sends back packets of data to the
>IP of the user, which is really the IP of the firewall now.
>4) The firewall receives the packets of data first, but now must send those
>data packets to someone inside the firewall.
>5) The packets of data MUST have some unique identifier to let the firewall
>know who requested the data in the first place.
>
>Now, I'm assuming that Apache has full access to these incoming packets.
>Therefore, they must also have access to this invisible identifier. Is it
>possible to extract that identifier somehow by tinkering with Apache?
No. What happens is more like this:
(1) Browser opens socket for connecting to remote server. This assigns a
unique identifier to the TCP connection - IP + socket on client side.
(2) Browser connects to remote server, which actually ends up connecting to
firewall. Firewall has a unique number on its side - its IP + socket (80 or
443 most likely).
(3) Firewall opens socket for connecting to remote server. This assigns a
unique identifier to the TCP connection - firewall's public IP + socket.
Firewall remembers this and will transfer any data coming from client to this
connection, and any data from this connection to the client. This is part of
what is meant by a firewall which saves state information.
All the information needed to connect the client and server via the firewall
is kept within the firewall. Neither the client or server need be aware of
any of it, nor, afaik, can they be aware of it without putting a http proxy on
the firewall.
The server is seeing the firewall's IP and socket, not the actual client's.
This will change with each connection made, which will happen if the keepalive
timeout happens.
--
James Smith <[EMAIL PROTECTED]>, 979-862-3725
Texas A&M CIS Operating Systems Group, Unix
