src/anyp/TrafficMode.h

   1 /*
   2  * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 #ifndef SQUID_ANYP_TRAFFIC_MODE_H
  10 #define SQUID_ANYP_TRAFFIC_MODE_H
  11
  12 namespace AnyP
  13 {
  14
  15 /**
  16  * Set of 'mode' flags defining types of trafic which can be received.
  17  *
  18  * Use to determine the processing steps which need to be applied
  19  * to this traffic under any special circumstances which may apply.
  20  */
  21 class TrafficMode
  22 {
  23 public:
  24     TrafficMode() : accelSurrogate(false), proxySurrogate(false), natIntercept(false), tproxyIntercept(false), tunnelSslBumping(false) {}
  25     TrafficMode(const TrafficMode &rhs) { operator =(rhs); }
  26     TrafficMode &operator =(const TrafficMode &rhs) { memcpy(this, &rhs, sizeof(TrafficMode)); return *this; }
  27
  28     /** marks HTTP accelerator (reverse/surrogate proxy) traffic
  29      *
  30      * Indicating the following are required:
  31      *  - URL translation from relative to absolute form
  32      *  - restriction to origin peer relay recommended
  33      */
  34     bool accelSurrogate;
  35
  36     /** marks ports receiving PROXY protocol traffic
  37      *
  38      * Indicating the following are required:
  39      *  - PROXY protocol magic header
  40      *  - src/dst IP retrieved from magic PROXY header
  41      *  - indirect client IP trust verification is mandatory
  42      *  - TLS is not supported
  43      */
  44     bool proxySurrogate;
  45
  46     /** marks NAT intercepted traffic
  47      *
  48      * Indicating the following are required:
  49      *  - NAT lookups
  50      *  - URL translation from relative to absolute form
  51      *  - Same-Origin verification is mandatory
  52      *  - destination pinning is recommended
  53      *  - authentication prohibited
  54      */
  55     bool natIntercept;
  56
  57     /** marks TPROXY intercepted traffic
  58      *
  59      * Indicating the following are required:
  60      *  - src/dst IP inversion must be performed
  61      *  - client IP should be spoofed if possible
  62      *  - URL translation from relative to absolute form
  63      *  - Same-Origin verification is mandatory
  64      *  - destination pinning is recommended
  65      *  - authentication prohibited
  66      */
  67     bool tproxyIntercept;
  68
  69     /** marks intercept and decryption of CONNECT (tunnel) SSL traffic
  70      *
  71      * Indicating the following are required:
  72      *  - decryption of CONNECT request
  73      *  - URL translation from relative to absolute form
  74      *  - authentication prohibited on unwrapped requests (only on the CONNECT tunnel)
  75      *  - encrypted outbound server connections
  76      *  - peer relay prohibited. TODO: re-encrypt and re-wrap with CONNECT
  77      */
  78     bool tunnelSslBumping;
  79
  80     /** true if the traffic is in any way intercepted
  81      *
  82      */
  83     bool isIntercepted() { return natIntercept||tproxyIntercept ;}
  84 };
  85
  86 } // namespace AnyP
  87
  88 #endif
  89