[prev in list] [next in list] [prev in thread] [next in thread] 

List:       varnish-dev
Subject:    Re: More on the HAProxy proxy protocol
From:       Tollef Fog Heen <tfheen () varnish-software ! com>
Date:       2013-12-04 14:07:40
Message-ID: 20131204140740.GA1096 () err ! no
[Download RAW message or body]

]] Poul-Henning Kamp

> I've been thinking about something like this:
> 
> 	remote.ip	// [IP Other end of TCP connection
> 	remote.port	// [INT Our sockets peer-address
> 
> 	local.ip	// [IP own end of the TCP connection
> 	local.port	// [INT sockets local address
> 
> 
> 	client.ip	// [IP] Which IP$ client to connected to our end from.
> 			// if proto == PROXY
> 			//	set from PROXY.hdr
> 			// else
> 			//	set from remote.ip
> 
> 	server.ip	// [IP] Which IP# client connected to in our end.
> 	server.port	// [INT]
> 			// if proto == PROXY
> 			//	set from PROXY.hdr
> 			// else
> 			//	set from our.*

These work for me.

> 	client.identity	// Best case ultimate client identity
> 			// if X-F-F:
> 			//	set from X-F-F
> 			// else
> 			//	set from client.ip
> 
> I'm somewhat tempted to make client.identity a STRING, rather than
> an IP, to make it clear to people that running it through an ACL
> is a bad idea.

client.identity is already a string, and I don't think we should set it
from X-F-F, but rather just client.ip.  It can be trivially overridden
if the sysadmin wants that.

-- 
Tollef Fog Heen
Technical lead | Varnish Software AS
📞: +47 21 98 92 64
We Make Websites Fly!

_______________________________________________
varnish-dev mailing list
varnish-dev@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev
[prev in list] [next in list] [prev in thread] [next in thread]