On 26/06/2014 4:53 a.m., Eliezer Croitoru wrote:
> I was not expecting this patch due to old emails about the proxy
> protocol implementation.
> I understand from the email that after this patch we can use STUNNEL and
> HAPROXY in-front of squid. right?
Right. stunnel, HAProxy and any other gateway software which supports
sending the protocol.
I was also not expecting it to happen for a version for two either, but
Willy and I got talking about it the other day and when I looked closer
the work already done on the parser and client-side cleanup happens to
be enough to make it quite a relatively clean and simple addition.
Amos
> +1 (for the idea and looked a bit at the code itself)
>
> Eliezer
>
> On 06/22/2014 08:15 AM, Amos Jeffries wrote:
>> Support receiving PROXY protocol version 1 and 2.
>>
>> PROXY protocol has been developed by Willy Tarreau of HAProxy for
>> communicating original src and dst IP:port details between proxies and
>> load balancers in a protocol-agnostic way.
>>
>> stunnel, HAProxy and some other HTTP proxying software are already
>> enabled and by adding support to Squid we can effectively chain these
>> proxies without having to rely on X-Forwarded-For headers.
>>
>> This patch adds http(s)_port mode flag (proxy-surrogate) to signal the
>> protocol is in use, parsing and processing logics for the PROXY protocol
>> headers on new connections, and extends the follow_x_forwarded_for
>> (renamed proxy_forwarded_access) access control to manage inbound
>> connections.
>> The indirect client security/trust model remains unchanged. As do all
>> HTTP related logics on the connection once PROXY protocol header has
>> been received.
>>
>>
>> Furture Work:
>> * support sending PROXY protocol to cache_peers
>> * rework the PROXY parse logics as a Parser-NG child parser.
>>
>> Amos
>
Received on Thu Jun 26 2014 - 05:28:19 MDT
This archive was generated by hypermail 2.2.0 : Thu Jun 26 2014 - 12:00:13 MDT