Re: Discriminate client requests from transparent proxy requests?

[Leonardo Rodrigues <leolistas@solutti.com.br>]

     how about adjusting TOS values on the packets using those created 
ACLs ?? That would probably make identification easier/possible on 
routing layers, your routers included.

     you can specify a specific TOS value for your 'normal proxy' port 
and another one for your 'transparent proxy'.

     but you're right, i didnt catch your idea and, maybe, my answer was 
for a different scenario than yours. But i think that using the 
transparent port ACL and adjusting TOS on those packets, you could catch 
that on your routers.



from http://www.squid-cache.org/Doc/config/tcp_outgoing_tos/

     Allows you to select a TOS/Diffserv value for packets outgoing
     on the server side, based on an ACL.

     tcp_outgoing_tos ds-field [!]aclname ...

     Example where normal_service_net uses the TOS value 0x00
     and good_service_net uses 0x20

     acl normal_service_net src 10.0.0.0/24
     acl good_service_net src 10.0.1.0/24
     tcp_outgoing_tos 0x00 normal_service_net
     tcp_outgoing_tos 0x20 good_service_net

     TOS/DSCP values really only have local significance - so you should
     know what you're specifying. For more information, see RFC2474,
     RFC2475, and RFC3260.

     The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or
     "default" to use whatever default your host has. Note that in
     practice often only multiples of 4 is usable as the two rightmost bits
     have been redefined for use by ECN (RFC 3168 section 23.1).

     Processing proceeds in the order specified, and stops at first fully
     matching line.


Em 19/12/12 16:33, Jack Bates escreveu:
> Thank you, but what I want is for our *router* to be able to tell the 
> difference between requests from clients to origin servers (and 
> intercept these) and requests from our transparent proxy to origin 
> servers (and not intercept these). I'm wondering what options there 
> are to do this because our proxy makes "transparent" requests to 
> origin servers, with the same source address as the request from the 
> client.
>
> I think what you're describing instead is how the *proxy* can tell the 
> difference between requests that were intercepted and requests that 
> were explicitly sent to the proxy.
>


-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it