[thirdparty/squid.git] / src / anyp / TrafficMode.h

/*
 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#ifndef SQUID_ANYP_TRAFFIC_MODE_H
#define SQUID_ANYP_TRAFFIC_MODE_H

namespace AnyP
{

/**
 * Set of 'mode' flags defining types of traffic which can be received.
 *
 * Use to determine the processing steps which need to be applied
 * to this traffic under any special circumstances which may apply.
 */
class TrafficMode
{
public:
    /** marks HTTP accelerator (reverse/surrogate proxy) traffic
     *
     * Indicating the following are required:
     *  - URL translation from relative to absolute form
     *  - restriction to origin peer relay recommended
     */
    bool accelSurrogate = false;

    /** marks ports receiving PROXY protocol traffic
     *
     * Indicating the following are required:
     *  - PROXY protocol magic header
     *  - src/dst IP retrieved from magic PROXY header
     *  - indirect client IP trust verification is mandatory
     *  - TLS is not supported
     */
    bool proxySurrogate = false;

    /** marks NAT intercepted traffic
     *
     * Indicating the following are required:
     *  - NAT lookups
     *  - URL translation from relative to absolute form
     *  - Same-Origin verification is mandatory
     *  - destination pinning is recommended
     *  - authentication prohibited
     */
    bool natIntercept = false;

    /** marks TPROXY intercepted traffic
     *
     * Indicating the following are required:
     *  - src/dst IP inversion must be performed
     *  - client IP should be spoofed if possible
     *  - URL translation from relative to absolute form
     *  - Same-Origin verification is mandatory
     *  - destination pinning is recommended
     *  - authentication prohibited
     */
    bool tproxyIntercept = false;

    /** marks intercept and decryption of CONNECT (tunnel) SSL traffic
     *
     * Indicating the following are required:
     *  - decryption of CONNECT request
     *  - URL translation from relative to absolute form
     *  - authentication prohibited on unwrapped requests (only on the CONNECT tunnel)
     *  - encrypted outbound server connections
     *  - peer relay prohibited. TODO: re-encrypt and re-wrap with CONNECT
     */
    bool tunnelSslBumping = false;

    /** true if the traffic is in any way intercepted
     *
     */
    bool isIntercepted() { return natIntercept||tproxyIntercept ;}
};

} // namespace AnyP

#endif
Commit	Line	Data
bbc27441	1	/*
b8ae064d	2	* Copyright (C) 1996-2023 The Squid Software Foundation and contributors
bbc27441 AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
6a25a046 FC	9	#ifndef SQUID_ANYP_TRAFFIC_MODE_H
	10	#define SQUID_ANYP_TRAFFIC_MODE_H
	11
	12	namespace AnyP
	13	{
	14
	15	/**
2f8abb64	16	* Set of 'mode' flags defining types of traffic which can be received.
6a25a046 FC	17	*
	18	* Use to determine the processing steps which need to be applied
	19	* to this traffic under any special circumstances which may apply.
	20	*/
	21	class TrafficMode
	22	{
	23	public:
6a25a046 FC	24	/** marks HTTP accelerator (reverse/surrogate proxy) traffic
	25	*
	26	* Indicating the following are required:
	27	* - URL translation from relative to absolute form
	28	* - restriction to origin peer relay recommended
	29	*/
b56b37cf	30	bool accelSurrogate = false;
6a25a046	31
00d0ce87 AJ	32	/** marks ports receiving PROXY protocol traffic
	33	*
	34	* Indicating the following are required:
	35	* - PROXY protocol magic header
	36	* - src/dst IP retrieved from magic PROXY header
151ba0d4 AJ	37	* - indirect client IP trust verification is mandatory
151ba0d4 AJ	38	* - TLS is not supported
00d0ce87	39	*/
b56b37cf	40	bool proxySurrogate = false;
00d0ce87	41
6a25a046 FC	42	/** marks NAT intercepted traffic
	43	*
	44	* Indicating the following are required:
	45	* - NAT lookups
	46	* - URL translation from relative to absolute form
	47	* - Same-Origin verification is mandatory
	48	* - destination pinning is recommended
	49	* - authentication prohibited
	50	*/
b56b37cf	51	bool natIntercept = false;
6a25a046 FC	52
	53	/** marks TPROXY intercepted traffic
	54	*
	55	* Indicating the following are required:
	56	* - src/dst IP inversion must be performed
	57	* - client IP should be spoofed if possible
	58	* - URL translation from relative to absolute form
	59	* - Same-Origin verification is mandatory
	60	* - destination pinning is recommended
	61	* - authentication prohibited
	62	*/
b56b37cf	63	bool tproxyIntercept = false;
6a25a046 FC	64
	65	/** marks intercept and decryption of CONNECT (tunnel) SSL traffic
	66	*
	67	* Indicating the following are required:
	68	* - decryption of CONNECT request
	69	* - URL translation from relative to absolute form
	70	* - authentication prohibited on unwrapped requests (only on the CONNECT tunnel)
	71	* - encrypted outbound server connections
	72	* - peer relay prohibited. TODO: re-encrypt and re-wrap with CONNECT
	73	*/
b56b37cf	74	bool tunnelSslBumping = false;
c3d24490 FC	75
	76	/** true if the traffic is in any way intercepted
	77	*
	78	*/
	79	bool isIntercepted() { return natIntercept\|\|tproxyIntercept ;}
6a25a046 FC	80	};
	81
	82	} // namespace AnyP
	83
	84	#endif
f53969cc	85