hello Junyong Jiang
 
 
 
client <-----conn 1----->  tproxy  <----- conn 2 ------>  web server
211.x                                 br0 : 10.a                               10.b
 
 
as you know previously, there are 2 connections,
one is the connection between client and tproxy and the other is between tproxy and web server
and if you configure bridged's IP address,  tproxy server binds with this address and random ports and
make connection with a client and server with this bridged IP address
 
but during run time, web server receives some packets whose source address is real client address (211.x)
how about check out  proxy_util.c ..  modules/proxy/proxy_util.c
 
 
 
//------------ snip  ----------------------//
 
 
here! /* use bridged IP address  as binding address */
   
    sin.sin_family = AF_INET;
    sin.sin_addr.s_addr = inet_addr (conf->tproxy_ifaddr);
    sin.sin_port = 0;
    if(bind(dst->fd, (struct sockaddr *) &sin, sizeof(sin)) == -1) {
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                     "%s/%d Z-linuxpark-2: Error bind (): [ifaddr:%s]: %d:%s\n",
                     __FUNCTION__, __LINE__, conf->tproxy_ifaddr, errno, strerror (errno));
        return -2;
    }
 
 
here!  /* use client address as  source address using SOL_IP  ipv4 socket option */
 
    itp.op = TPROXY_ASSIGN;
    itp.v.addr.faddr = src->addr.sin_addr;
    itp.v.addr.fport = ntohs (src->addr.sin_port);
    ret = setsockopt(dst->fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
    if (ret < 0 ) {
#if 0
        if (errno == EADDRINUSE)
            goto exit;
#endif
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                     "%s/%d Z-linuxpark-3: Error setsockopt (): %d:%s: "
                     "[fd: %d, src: %u.%u.%u.%u  port(%d)] \n",
                     __FUNCTION__, __LINE__,  errno, strerror (errno),
                     dst->fd,
                     NIPQUAD (src->addr.sin_addr.s_addr), src->addr.sin_port);
        return -3;
    }
 
 
and then try to connect !
 

    itp.op = TPROXY_FLAGS;
    itp.v.flags = ITP_CONNECT;
    ret = setsockopt(dst->fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
    if (ret < 0 ) {
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                     "%s/%d Z-linuxpark-4: Error setsockopt (): %d:%s\n",
                     __FUNCTION__, __LINE__, errno, strerror (errno));
        return -4;
    }
//------------ snip  ----------------------//
 
 
----- Original Message -----
From: Junyong Jiang
To: JeHo Park
Sent: Thursday, August 05, 2010 11:26 AM
Subject: Re: [PATCH] tproxy2 patch to the apache 2.2.15

So I know!
In this case, what's the use of the bridge's IP address?

2010/8/5 JeHo Park <jhpark@elim.net>
Junyong Jiang, previous my reply included wrong sentence, so i fixed it !
 
as you know, in transparent proxy mode [or in the tproxy mode], backend server receives a packet whose source address is real client address
if you set your proxy box as NAT mode, backend server receives a packet whose source address is the proxy server's bridge IP.
 
so if you set up my tproxy httpd correctly, backend server will receive a packet whose source address is real client address
 
thanks~
----- Original Message -----
Sent: Thursday, August 05, 2010 9:57 AM
Subject: Re: [PATCH] tproxy2 patch to the apache 2.2.15

Hello Park,

I want to ask you one more question. In you test of the apache tproxy mode, on the backend server( that means the real web server), what is the source IP address? Is it the real client's or the proxy server's bridge IP?

Thanks!

2010/8/5 JeHo Park <jhpark@elim.net>
hello clere

----- Original Message -----
From: "jean-frederic clere" <jfclere@gmail.com>
To: <dev@httpd.apache.org>
Sent: Wednesday, August 04, 2010 5:32 PM
Subject: Re: [PATCH] tproxy2 patch to the apache 2.2.15


> On 08/03/2010 04:57 PM, JeHo Park wrote:
>> hello ~
>> it's my first mail to apache dev .. and i am beginner of the apache. :-)
>
> Interesting stuff... But:
> - The machine depend stuff in httpd usually goes to APR. (I would add
> the logic to APR and have a HAVE_APR_TPROXY*).

i  absolutely understood what you said

> - The kernel is nice but was it accepted in the current kernels? If yes
> since when?

no, i just ported tproxy2 kernel patch [refer the linke below] to the CentOS kernel 2.6.18-194.el5
the mainstream of linux kernel applied tproxy4 from the version 2.6.24
but tproxy2 had not been applied ..
http://www.balabit.com/downloads/files/tproxy/

> - Without the performance results it is hard to see if it is worth the
> effort.
>
please check the link below
http://211.174.184.69/kisa-avalanche2900-20100712
and the test-result.ppt files shows the summarized result of the performance test and etc


> Cheers
>
> Jean-Frederic