trafficserver-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leif Hedstrom <zw...@apache.org>
Subject Re: Reverse proxy transparency
Date Sun, 18 Apr 2010 20:15:16 GMT
On 04/18/2010 10:04 AM, Alan M. Carroll wrote:
> I read through the documentation on reverse proxy mode but didn't find the answer to
my question, what IP address is used by ATS to connect to the origin servers, the client IP
address or an address on an ATS interface? If the latter, is it presumed that served content
is not dependent on the client IP address?
>    

Yeah, it'll be the IP of the interface that you route the outgoing 
request on (by default).

Maybe I'm missing something, but how would it work if you forge the 
src-IP to the IP of the client? The origin would then route back to the 
client IP directly, which is not what you want. Unless of course you 
have configured the origins too to route everything back via the ATS 
server? (The latter sounds like inline routing as done in SLBs for 
example). I don't think we currently support such a setup, not sure how 
easy or difficult it'd be to add.

That much said, there are several headers available for making "ACLs" 
based on the client IP. E.g. "Client-IP" and "X-Forwarded-For". Either 
can obviously be forged, so you have to establish some sort of trust 
relation between your origin and the ATS server, so that the Origin can 
be certain that the header(s) is correct when coming from the ATS 
server, and ignored when not.

-- Leif


Mime
View raw message