]>
Commit | Line | Data |
---|---|---|
bbc27441 | 1 | /* |
f70aedc4 | 2 | * Copyright (C) 1996-2021 The Squid Software Foundation and contributors |
bbc27441 AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
6a25a046 FC |
9 | #ifndef SQUID_ANYP_TRAFFIC_MODE_H |
10 | #define SQUID_ANYP_TRAFFIC_MODE_H | |
11 | ||
12 | namespace AnyP | |
13 | { | |
14 | ||
15 | /** | |
2f8abb64 | 16 | * Set of 'mode' flags defining types of traffic which can be received. |
6a25a046 FC |
17 | * |
18 | * Use to determine the processing steps which need to be applied | |
19 | * to this traffic under any special circumstances which may apply. | |
20 | */ | |
21 | class TrafficMode | |
22 | { | |
23 | public: | |
6a25a046 FC |
24 | /** marks HTTP accelerator (reverse/surrogate proxy) traffic |
25 | * | |
26 | * Indicating the following are required: | |
27 | * - URL translation from relative to absolute form | |
28 | * - restriction to origin peer relay recommended | |
29 | */ | |
b56b37cf | 30 | bool accelSurrogate = false; |
6a25a046 | 31 | |
00d0ce87 AJ |
32 | /** marks ports receiving PROXY protocol traffic |
33 | * | |
34 | * Indicating the following are required: | |
35 | * - PROXY protocol magic header | |
36 | * - src/dst IP retrieved from magic PROXY header | |
151ba0d4 AJ |
37 | * - indirect client IP trust verification is mandatory |
38 | * - TLS is not supported | |
00d0ce87 | 39 | */ |
b56b37cf | 40 | bool proxySurrogate = false; |
00d0ce87 | 41 | |
6a25a046 FC |
42 | /** marks NAT intercepted traffic |
43 | * | |
44 | * Indicating the following are required: | |
45 | * - NAT lookups | |
46 | * - URL translation from relative to absolute form | |
47 | * - Same-Origin verification is mandatory | |
48 | * - destination pinning is recommended | |
49 | * - authentication prohibited | |
50 | */ | |
b56b37cf | 51 | bool natIntercept = false; |
6a25a046 FC |
52 | |
53 | /** marks TPROXY intercepted traffic | |
54 | * | |
55 | * Indicating the following are required: | |
56 | * - src/dst IP inversion must be performed | |
57 | * - client IP should be spoofed if possible | |
58 | * - URL translation from relative to absolute form | |
59 | * - Same-Origin verification is mandatory | |
60 | * - destination pinning is recommended | |
61 | * - authentication prohibited | |
62 | */ | |
b56b37cf | 63 | bool tproxyIntercept = false; |
6a25a046 FC |
64 | |
65 | /** marks intercept and decryption of CONNECT (tunnel) SSL traffic | |
66 | * | |
67 | * Indicating the following are required: | |
68 | * - decryption of CONNECT request | |
69 | * - URL translation from relative to absolute form | |
70 | * - authentication prohibited on unwrapped requests (only on the CONNECT tunnel) | |
71 | * - encrypted outbound server connections | |
72 | * - peer relay prohibited. TODO: re-encrypt and re-wrap with CONNECT | |
73 | */ | |
b56b37cf | 74 | bool tunnelSslBumping = false; |
c3d24490 FC |
75 | |
76 | /** true if the traffic is in any way intercepted | |
77 | * | |
78 | */ | |
79 | bool isIntercepted() { return natIntercept||tproxyIntercept ;} | |
6a25a046 FC |
80 | }; |
81 | ||
82 | } // namespace AnyP | |
83 | ||
84 | #endif | |
f53969cc | 85 |