More on the HAProxy proxy protocol
Tollef Fog Heen
tfheen at varnish-software.com
Wed Dec 4 15:07:40 CET 2013
]] Poul-Henning Kamp
> I've been thinking about something like this:
>
> remote.ip // [IP Other end of TCP connection
> remote.port // [INT Our sockets peer-address
>
> local.ip // [IP own end of the TCP connection
> local.port // [INT sockets local address
>
>
> client.ip // [IP] Which IP$ client to connected to our end from.
> // if proto == PROXY
> // set from PROXY.hdr
> // else
> // set from remote.ip
>
> server.ip // [IP] Which IP# client connected to in our end.
> server.port // [INT]
> // if proto == PROXY
> // set from PROXY.hdr
> // else
> // set from our.*
These work for me.
> client.identity // Best case ultimate client identity
> // if X-F-F:
> // set from X-F-F
> // else
> // set from client.ip
>
> I'm somewhat tempted to make client.identity a STRING, rather than
> an IP, to make it clear to people that running it through an ACL
> is a bad idea.
client.identity is already a string, and I don't think we should set it
from X-F-F, but rather just client.ip. It can be trivially overridden
if the sysadmin wants that.
--
Tollef Fog Heen
Technical lead | Varnish Software AS
📞: +47 21 98 92 64
We Make Websites Fly!
More information about the varnish-dev
mailing list