[squid-users] source spoofing without tproxy?

Yuri yvoinov at gmail.com
Wed Jun 14 13:29:32 UTC 2017 

Nice shoot, Eliezer :-D


14.06.2017 19:28, Eliezer Croitoru пишет:
> Rephrase the "cheap nationally" into "cheat inernationally".
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Eliezer Croitoru
> Sent: Wednesday, June 14, 2017 11:09 AM
> To: 'David Kewley' <dkewley at uci.edu>; squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] source spoofing without tproxy?
>
> Hey,
>
> This is a library I wrote that uses tproxy:
> https://github.com/elico/go-linux-tproxy
>
> It’s doable using some enthusiasm but technically you cannot spoof just any IP since you need to be able to receive back this traffic.
> You cannot really "cheap nationally" the BGP protocol but only for specific small areas which are all under your "domain" and management.
>
> All The Bests,
> Eliezer
>
> ----
> http://ngtech.co.il/lmgtfy/
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of David Kewley
> Sent: Tuesday, June 13, 2017 4:48 AM
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] source spoofing without tproxy?
>
> I want my clients to explicitly address squid as a proxy (not use tproxy), but have squid spoof the source addresses in the forwarded connection, so that further hops know the original source address from the IPv4 headers.
>
> I could find no indication that anyone else has done this, and when I tried various things, I could not get it working.
>
> Is this possible today? If not, is it worth considering as a future feature? Or am I overlooking a reason that this cannot work even in theory?
>
> I got the nearly-equivalent functionality working for reverse proxying using nginx, but so far I've found no way to do it with forward proxying. Nginx doesn't do https forward proxying (no handling of CONNECT).
>
> If squid can't do what I'm looking for today, I would welcome pointers to other possible approaches.
>
> Thanks,
> David
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170614/e00ff440/attachment.sig>

More information about the squid-users mailing list