can sniproxy fallback non-https or non-http connection to origin destination #245
Comments
|
I don't know. I think IPtables will allow an outgoing connection to an address with an iptables redirect rule in place since this is an outgoing connection not a forwarded connection, if so it should be possible to obtain the original destination address (through some getsockopt() call?) and use that an a fallback address. Maybe the logic in accept_listener_fallback_address() (wildcard case) and listener_lookup_server_address() could be modified to handle this case. I would start by confirming IPtables behavior will permit this, I don't use the transparent proxy feature in my deployments, so these things are bit murky to me. Then I could create a functional test for this configuration (tests/transparent_proxy_test would be a good starting place). Next I would research how to obtain the original destination address for a connection intercepted with the IPtables DIVERT action. Finally implementing the actual logic in those three functions above should be fairly straight forward. |
|
yes, use getsockopt() can get the original destination address after iptables redirect getsockopt(accept_sockfd, SOL_IP, SO_ORIGINAL_DST, (struct sockaddr*)&trgaddr, &trgaddr_len); |
|
This is not a feature I'm going to pursue in the foreseeable future, but if someone submitted reasonable patches with a functional test I would likely merge those in. |
|
thanks. |
when useing iptables redirect tcp port 80 and 443 to sniproxy , if the tcp connection is not http or https, sniproxy forward to the fallback server, can sniproxy forward to the origin destination address before iptables redirect
The text was updated successfully, but these errors were encountered: