Thanks for your answer.
But in case of Commercial Web Application Firewall(WAF),
I found that tproxy was installed and some daemon like squid to filter the
web traffic transparently.
and the real client ip is seen at the origin server.
Is it a different case?
Thanks for your comments.
> MontyRee wrote:
>> Hello, all.
>>
>> I saw much useful function named tproxy.
>> So pleaase check below is possible or not.
>>
>>
>> Client(192.168.3.2) ==> http-accelerator mode squid(10.10.1.2) ==> apache
>> web server(10.10.1.1)
>>
>> When I see the log file at apache, only cache(10.10.1.2) ip will be seen
>> without regard to clients.
>> but when I set tproxy at squid server,I can see the real client IPs, right?
>>
>> then how can I set iptables rule at squid server(10.10.1.2)?
>> It seems that most examples are for forward proxy not httpd-accel mode.
>>
>> http://wiki.squid-cache.org/ConfigExamples/
>>
>> I know that "HTTP_X_FORWARDED_FOR'" would be possible,
>> but I don't want it. Please share how to set tproxy for accel mode.
>>
>>
>> Thanks in advance.
>>
>
> No its not.
>
> accel mode == reverse proxy == squid pretending to be a web server.
>
> tproxy == squid pretending not to be there.
>
> When Squid pretends not to be there it cannot perform the actions needed
> to make it look like a web server.
>
> X-Forwarded-For is the way to do this. Whether you want to do it that
> way or not. Its the way you get the real client IP through the various
> middleware proxies already passing traffic from box to box around the
> Internet in a www version of NAT.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19
> Current Beta Squid 3.1.0.13
_________________________________________________________________
무려~! 25GB나 되는 스카이드라이브! 자세한 사용 방법을 알려 드립니다.
http://im.msn.co.kr/im/main/mainCoverDetail.asp?BbsCode=bbs01&Seq=3136
