httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "JeHo Park" <jhp...@elim.net>
Subject Re: [PATCH] tproxy2 patch to the apache 2.2.15
Date Thu, 05 Aug 2010 04:13:15 GMT
hello Junyong Jiang



client <-----conn 1----->  tproxy  <----- conn 2 ------>  web server
211.x                                 br0 : 10.a                               10.b


as you know previously, there are 2 connections, 
one is the connection between client and tproxy and the other is between tproxy and web server
and if you configure bridged's IP address,  tproxy server binds with this address and random
ports and 
make connection with a client and server with this bridged IP address

but during run time, web server receives some packets whose source address is real client
address (211.x)
how about check out  proxy_util.c ..  modules/proxy/proxy_util.c



//------------ snip  ----------------------//


here! /* use bridged IP address  as binding address */
   
    sin.sin_family = AF_INET;
    sin.sin_addr.s_addr = inet_addr (conf->tproxy_ifaddr);
    sin.sin_port = 0;
    if(bind(dst->fd, (struct sockaddr *) &sin, sizeof(sin)) == -1) {
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                     "%s/%d Z-linuxpark-2: Error bind (): [ifaddr:%s]: %d:%s\n",
                     __FUNCTION__, __LINE__, conf->tproxy_ifaddr, errno, strerror (errno));
        return -2;
    }


here!  /* use client address as  source address using SOL_IP  ipv4 socket option */

    itp.op = TPROXY_ASSIGN;
    itp.v.addr.faddr = src->addr.sin_addr;
    itp.v.addr.fport = ntohs (src->addr.sin_port);
    ret = setsockopt(dst->fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
    if (ret < 0 ) {
#if 0
        if (errno == EADDRINUSE) 
            goto exit;
#endif
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                     "%s/%d Z-linuxpark-3: Error setsockopt (): %d:%s: "
                     "[fd: %d, src: %u.%u.%u.%u  port(%d)] \n",
                     __FUNCTION__, __LINE__,  errno, strerror (errno),
                     dst->fd,
                     NIPQUAD (src->addr.sin_addr.s_addr), src->addr.sin_port);
        return -3;
    }


and then try to connect ! 


    itp.op = TPROXY_FLAGS;
    itp.v.flags = ITP_CONNECT;
    ret = setsockopt(dst->fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
    if (ret < 0 ) {
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                     "%s/%d Z-linuxpark-4: Error setsockopt (): %d:%s\n",
                     __FUNCTION__, __LINE__, errno, strerror (errno));
        return -4;
    }

//------------ snip  ----------------------//


  ----- Original Message ----- 
  From: Junyong Jiang 
  To: JeHo Park 
  Sent: Thursday, August 05, 2010 11:26 AM
  Subject: Re: [PATCH] tproxy2 patch to the apache 2.2.15


  So I know!
  In this case, what's the use of the bridge's IP address?


  2010/8/5 JeHo Park <jhpark@elim.net>

    Junyong Jiang, previous my reply included wrong sentence, so i fixed it !

    as you know, in transparent proxy mode [or in the tproxy mode], backend server receives
a packet whose source address is real client address
    if you set your proxy box as NAT mode, backend server receives a packet whose source address
is the proxy server's bridge IP.

    so if you set up my tproxy httpd correctly, backend server will receive a packet whose
source address is real client address

    thanks~
      ----- Original Message ----- 
      From: Junyong Jiang 
      To: jhpark@elim.net 
      Sent: Thursday, August 05, 2010 9:57 AM
      Subject: Re: [PATCH] tproxy2 patch to the apache 2.2.15


      Hello Park, 


      I want to ask you one more question. In you test of the apache tproxy mode, on the backend
server( that means the real web server), what is the source IP address? Is it the real client's
or the proxy server's bridge IP?


      Thanks!


      2010/8/5 JeHo Park <jhpark@elim.net>

        hello clere


        ----- Original Message -----
        From: "jean-frederic clere" <jfclere@gmail.com>
        To: <dev@httpd.apache.org>

        Sent: Wednesday, August 04, 2010 5:32 PM
        Subject: Re: [PATCH] tproxy2 patch to the apache 2.2.15



        > On 08/03/2010 04:57 PM, JeHo Park wrote:
        >> hello ~
        >> it's my first mail to apache dev .. and i am beginner of the apache. :-)
        >
        > Interesting stuff... But:
        > - The machine depend stuff in httpd usually goes to APR. (I would add
        > the logic to APR and have a HAVE_APR_TPROXY*).


        i  absolutely understood what you said


        > - The kernel is nice but was it accepted in the current kernels? If yes
        > since when?


        no, i just ported tproxy2 kernel patch [refer the linke below] to the CentOS kernel
2.6.18-194.el5
        the mainstream of linux kernel applied tproxy4 from the version 2.6.24
        but tproxy2 had not been applied ..
        http://www.balabit.com/downloads/files/tproxy/


        > - Without the performance results it is hard to see if it is worth the
        > effort.
        >

        please check the link below
        http://211.174.184.69/kisa-avalanche2900-20100712
        and the test-result.ppt files shows the summarized result of the performance test
and etc


        > Cheers
        >
        > Jean-Frederic



Mime
View raw message