+1

I'd use it!
Joe Gooch
K12 Systems 
[...]

Thilo Bangert <bangert(at)gentoo.org> said:[...]

hhm, has this come through yet? i cant seem to find it.
thanks

kind regards
Thilo

Hi,

TPROXY is Linux specific.
It's included in mainline kernel from 2.6.30, thanks to excellent work 
of Balabit Ltd.

I think it's the decision of maintainers to include code that is OS 
specific.

I tried to write code as non-intrusive as I could.
I think it should compile on any supported platform.

Global TProxy 0 option preserves original behavior.
Global Tproxy 1 option checks for TPROXY availabilty.
(use setsockopt and optname = 19 (IP_TRANSPARENT). I don't know optname 
19 have any meaning in others OSs)

I don't know about similar feature in other OSs, but it would be nice to 
implement it in as many supported platform as possible.

Regards,
ivan


Joe Gooch írta:[...][...][...]

On Fri, 2009-10-02 at 17:14 +0200, Thilo Bangert wrote:[...]

No, no yet. It is still planned for 2.5 though.

In the meanwhile we are waiting for reports on 2.5c - it would be nice
if people could provide some feedback...[...]

Hi,

We were thrilled to see SSL support for back-ends. Will you be  
developing this further?

/Eirik

Sent from my iPhone

On 8. okt. 2009, at 17.01, Robert Segall <roseg(at)apsis.ch> wrote:
[...][...]
>>>> - autoconf dependencies (Thilo Bangert): we'll add
-without-pcre,
>>>> --without-hoard, --without-tcmalloc in the next version.
>>>[...][...]

My router still is running a 2.4.x kernel, but would love to get this 
going....
Are you willing to assist me when I try to implement this on my DD-WRT 
router?
I am hoping we're getting a full 2.6 kernel on the new Asus RTN16, but I'm 
getting ahead here.
It doesn't even have DD-WRT running...

JP


-----Original Message-----

From: IVANCSO Krisztian <pound(at)percek.hu>

To: pound(at)apsis.ch

Date: Fri, 02 Oct 2009 21:26:36 +0200

Subject: Re: [Pound Mailing List] TPROXY




Hi,



TPROXY is Linux specific.

It's included in mainline kernel from 2.6.30, thanks to excellent work 

of Balabit Ltd.



I think it's the decision of maintainers to include code that is OS 

specific.



I tried to write code as non-intrusive as I could.

I think it should compile on any supported platform.



Global TProxy 0 option preserves original behavior.

Global Tproxy 1 option checks for TPROXY availabilty.

(use setsockopt and optname = 19 (IP_TRANSPARENT). I don't know optname 

19 have any meaning in others OSs)



I don't know about similar feature in other OSs, but it would be nice to 

implement it in as many supported platform as possible.



Regards,

ivan





Joe Gooch írta:
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]
[...]





--

To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.

Please contact roseg(at)apsis.ch for questions.

Hi,

I'm a bit confused by your statement.  Can you explain what you mean by you 
need to configure the backends to they are listening to a proxy and not the 
real client?

I'm using Pound as a proxy in front of a Tomcat server, and I have made no 
changes to the Tomcat configuration (except the logging) to accoutn for 
Pound.  Do I need to do something additional?

Thanks,

Eric


"Jean-Pierre van Melis" <jp(at)mirmana.com> wrote 
in message news:MailBoxer.1257.1254480522.92.pound(at)apsis.ch...
Is there some chance this TPROXY can get in the main code?
Having a transparent proxy makes it so much more powerful...
I'm sure it can be made it's not getting in the way of those using a classic 
proxy.

I'm running pound on my router which is also the gateway of my network and 
having a transparent proxy means I do not have to change the logging of my 
webserver.
Even if you changed the logging.. it still isn't the same as all the 
backends need to be made aware they are in fact listening to a proxy and not 
to the real client....



--
To unsubscribe send an email with subject unsubscribe to 
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

Your backends receive all their info from your proxy and see your proxy as the
original sender.
Luckily there's something like a forwarded-for header which is inserted by
pound.
You need to modify your backend so it will not show the IP where it's coming
from, but this header which is inserted by pound.

If, for instance, you have a simple application running on your webserver which
does something with the sender IP, this application needs to use this
forwarded-for header instead of the normal header. You may say, easy enough....
modify that too..  But this website may be owned by a third party which had its
website developed and running on another server and all of a sudden things
don't work as expected anymore after it moved to this backend which is behind
pound.

All this is not necessary. With TPROXY pound can be made into a true
transparent proxy. Although the http-traffic travels through the proxy they are
delivered to the backends in IP-packets which have the original IP in them. The
backend will think the traffic is coming from the Internet instead of the
proxy.

For this to work it needs to work together with the gateway. If the backend
thinks that http-data is coming from the Internet it will answer to that
address as well. It will give this data to the gateway and tells it to send it
to the Internet. The gateway knows that in fact it shouldn't do this but send
it to the proxy instead which will send that packet to the gateway again. This
time the gateway knows it should really send it to the Internet and now the
http-request has been answered...

For all this to work we need a modified pound and a mechanism on the gateway
which facilitates this.


-----Oorspronkelijk bericht-----
Van: news [mailto:news(at)ger.gmane.org] Namens Eric B.
Verzonden: dinsdag 20 oktober 2009 5:33
Aan: pound(at)apsis.ch
Onderwerp: Re: [Pound Mailing List] TPROXY

Hi,

I'm a bit confused by your statement.  Can you explain what you mean by you 
need to configure the backends to they are listening to a proxy and not the 
real client?

I'm using Pound as a proxy in front of a Tomcat server, and I have made no 
changes to the Tomcat configuration (except the logging) to accoutn for 
Pound.  Do I need to do something additional?

Thanks,

Eric


"Jean-Pierre van Melis" <jp(at)mirmana.com> wrote 
in message news:MailBoxer.1257.1254480522.92.pound(at)apsis.ch...
Is there some chance this TPROXY can get in the main code?
Having a transparent proxy makes it so much more powerful...
I'm sure it can be made it's not getting in the way of those using a classic 
proxy.

I'm running pound on my router which is also the gateway of my network and 
having a transparent proxy means I do not have to change the logging of my 
webserver.
Even if you changed the logging.. it still isn't the same as all the 
backends need to be made aware they are in fact listening to a proxy and not 
to the real client....



--
To unsubscribe send an email with subject unsubscribe to 
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.




--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

Hi,

Let's just add that for Apache there is a module 
(mod_extract_forwarded) that will replace the remote endpoint of the 
connection by the IP inserted by pound in X-Forwarded-For in the 
usual places (REMOTE_ADDR, logging, etc.), so once that module is 
installed and configured, there is no need to change anything in apps 
running on the server.

There are probably equivalent things for other http servers.

Jacques.

At 07:48 20/10/2009, Jean-Pierre van Melis wrote:[...]

The whole idea about transparency is there's no need to change anything in
backends.
No need to reconfigure anything. You can also ad-hoc decide to let the traffic
go directly.
All traffic appears just as if it's coming from the Internet.
Just like all traffic from your NAT-router appears to be coming from the
Internet.

-----Oorspronkelijk bericht-----
Van: Jacques Caron [mailto:jc(at)oxado.com] 
Verzonden: dinsdag 20 oktober 2009 13:50
Aan: pound(at)apsis.ch
Onderwerp: RE: [Pound Mailing List] TPROXY

Hi,

Let's just add that for Apache there is a module 
(mod_extract_forwarded) that will replace the remote endpoint of the 
connection by the IP inserted by pound in X-Forwarded-For in the 
usual places (REMOTE_ADDR, logging, etc.), so once that module is 
installed and configured, there is no need to change anything in apps 
running on the server.

There are probably equivalent things for other http servers.

Jacques.

At 07:48 20/10/2009, Jean-Pierre van Melis wrote:[...]


--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

Hi,

I certainly agree, I was just pointing out that solution for people 
who need it but can't use the transparent proxy feature, which is 
probably the case for the majority of people at the moment.

Jacques.

At 18:04 20/10/2009, Jean-Pierre van Melis wrote:[...]

Thanks for the clarification.  Originally, I couldn't see how this would 
impact me, but I just realized that indeed it does affect me somewhat.

FYI, there is a Tomcat Valve & Filter port of apache's mod_remoteip module,

which is supposed to replace the IPs and schemes/etc that Tomcat sees for 
instances behind load balancers and proxies.

http://code.google.com/p/xebia-france/wiki/RemoteIpValve

Thanks,

Eric



"Jean-Pierre van Melis" <jp(at)mirmana.com> wrote 
in message news:MailBoxer.1273.1256021348.96.pound(at)apsis.ch...
Your backends receive all their info from your proxy and see your proxy as 
the original sender.
Luckily there's something like a forwarded-for header which is inserted by 
pound.
You need to modify your backend so it will not show the IP where it's coming 
from, but this header which is inserted by pound.

If, for instance, you have a simple application running on your webserver 
which does something with the sender IP, this application needs to use this 
forwarded-for header instead of the normal header. You may say, easy 
enough.... modify that too..  But this website may be owned by a third party 
which had its website developed and running on another server and all of a 
sudden things don't work as expected anymore after it moved to this backend 
which is behind pound.

All this is not necessary. With TPROXY pound can be made into a true 
transparent proxy. Although the http-traffic travels through the proxy they 
are delivered to the backends in IP-packets which have the original IP in 
them. The backend will think the traffic is coming from the Internet instead 
of the proxy.

For this to work it needs to work together with the gateway. If the backend 
thinks that http-data is coming from the Internet it will answer to that 
address as well. It will give this data to the gateway and tells it to send 
it to the Internet. The gateway knows that in fact it shouldn't do this but 
send it to the proxy instead which will send that packet to the gateway 
again. This time the gateway knows it should really send it to the Internet 
and now the http-request has been answered...

For all this to work we need a modified pound and a mechanism on the gateway 
which facilitates this.


-----Oorspronkelijk bericht-----
Van: news [mailto:news(at)ger.gmane.org] Namens Eric 
B.
Verzonden: dinsdag 20 oktober 2009 5:33
Aan: pound(at)apsis.ch
Onderwerp: Re: [Pound Mailing List] TPROXY

Hi,

I'm a bit confused by your statement.  Can you explain what you mean by you
need to configure the backends to they are listening to a proxy and not the
real client?

I'm using Pound as a proxy in front of a Tomcat server, and I have made no
changes to the Tomcat configuration (except the logging) to accoutn for
Pound.  Do I need to do something additional?

Thanks,

Eric


"Jean-Pierre van Melis" <jp(at)mirmana.com> wrote
in message 
news:MailBoxer.1257.1254480522.92.pound(at)apsis.ch...
Is there some chance this TPROXY can get in the main code?
Having a transparent proxy makes it so much more powerful...
I'm sure it can be made it's not getting in the way of those using a classic
proxy.

I'm running pound on my router which is also the gateway of my network and
having a transparent proxy means I do not have to change the logging of my
webserver.
Even if you changed the logging.. it still isn't the same as all the
backends need to be made aware they are in fact listening to a proxy and not
to the real client....



--
To unsubscribe send an email with subject unsubscribe to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.




--
To unsubscribe send an email with subject unsubscribe to 
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.



--
To unsubscribe send an email with subject unsubscribe to 
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

Enter 'man pound' at the command-line or google 'man pound'

http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=man+pound


On Oct 27, 2009, at 9:39 AM, Ahamed Mukthaar wrote:
[...]

Hello Friend Ryan,

In the link mentioned by I didn't find the example or the manual for the use
of the keywords

HTTPS and HTTPSCert,

If any other idea do reply.

On Tue, Oct 27, 2009 at 7:20 PM, Ryan Coleman <ryc108(at)psu.edu> wrote:
[...][...][...]

[...]