Umar Goldeli wrote:
> So clients make a request, they're intercepted at the firewall on
> say eth0, then redirected via ipfwadm rules through eth1 to the
> proxy port on the proxy? (and then the proxy goes off and speaks
> to a sibling or whatever)
Not quite. See below. But you are close.
> I don't see where any httpd_accel things should come in?
They do. Or a equivalent piece of software.
What httpd_accel does it to translate the request from a HTTP
request to a HTTP proxy requests. It does this by relying on
two things:
Host: header of the request
The destination IP address of the request.
HTTP 1.0+ Proxy request
--- TCP connection to proxy.isp.net port 3128 ---
GET http://www.server.com/some/path/to/file HTTP/1.0
Host: www.server.com
Accept: */*
-------------------------------------------------
HTTP 1.0+ server request:
--- TCP connection to 11.22.33.44 port 80 ----
GET /some/path/to/file HTTP/1.0
Host: www.server.com
Accept: */*
-------------------------------------------------
HTTP 1.0 Server request
--- TCP connection to 11.22.33.44 port 80 ----
GET /some/path/to/file HTTP/1.0
Accept: */*
-------------------------------------------------
As you see the HTTP requests are a bit different than what a proxy
normally sees, so the process that accepts the redirected traffic
needs to put the available pieces together to find out what really
was requested in a way that proxies can understand.
Port 80, it was http (which is blindly assumed, it is a http proxy)
Host: header can give the intended host name, including possibly Host:
based virtual server.
IP address gives at least a unique server identifier if there was no
Host: header.
> Or is the network layout above not the best way to do it? Or
> am I missing something again? :)
A small fact. ipfwadm can only redirect to a port on the same machine.
Due to this fact you need to run either a small Squid or transproxyd on
the "Firewall".
transproxyd is a separate daemon that accepts a transparently
accelerated HTTP connection, translates it to a proxy request and hands
it off to a configured proxy server.
--- Henrik Nordström Sparetime Squid HackerReceived on Tue Aug 18 1998 - 18:12:12 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:41:39 MST