src/anyp/TrafficMode.h

   1 /*
   2  * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 #ifndef SQUID_ANYP_TRAFFIC_MODE_H
  10 #define SQUID_ANYP_TRAFFIC_MODE_H
  11
  12 namespace AnyP
  13 {
  14
  15 /**
  16  * Set of 'mode' flags defining types of traffic which can be received.
  17  *
  18  * Use to determine the processing steps which need to be applied
  19  * to this traffic under any special circumstances which may apply.
  20  */
  21 class TrafficMode
  22 {
  23 public:
  24     /** marks HTTP accelerator (reverse/surrogate proxy) traffic
  25      *
  26      * Indicating the following are required:
  27      *  - URL translation from relative to absolute form
  28      *  - restriction to origin peer relay recommended
  29      */
  30     bool accelSurrogate = false;
  31
  32     /** marks ports receiving PROXY protocol traffic
  33      *
  34      * Indicating the following are required:
  35      *  - PROXY protocol magic header
  36      *  - src/dst IP retrieved from magic PROXY header
  37      *  - indirect client IP trust verification is mandatory
  38      *  - TLS is not supported
  39      */
  40     bool proxySurrogate = false;
  41
  42     /** marks NAT intercepted traffic
  43      *
  44      * Indicating the following are required:
  45      *  - NAT lookups
  46      *  - URL translation from relative to absolute form
  47      *  - Same-Origin verification is mandatory
  48      *  - destination pinning is recommended
  49      *  - authentication prohibited
  50      */
  51     bool natIntercept = false;
  52
  53     /** marks TPROXY intercepted traffic
  54      *
  55      * Indicating the following are required:
  56      *  - src/dst IP inversion must be performed
  57      *  - client IP should be spoofed if possible
  58      *  - URL translation from relative to absolute form
  59      *  - Same-Origin verification is mandatory
  60      *  - destination pinning is recommended
  61      *  - authentication prohibited
  62      */
  63     bool tproxyIntercept = false;
  64
  65     /** marks intercept and decryption of CONNECT (tunnel) SSL traffic
  66      *
  67      * Indicating the following are required:
  68      *  - decryption of CONNECT request
  69      *  - URL translation from relative to absolute form
  70      *  - authentication prohibited on unwrapped requests (only on the CONNECT tunnel)
  71      *  - encrypted outbound server connections
  72      *  - peer relay prohibited. TODO: re-encrypt and re-wrap with CONNECT
  73      */
  74     bool tunnelSslBumping = false;
  75
  76     /** true if the traffic is in any way intercepted
  77      *
  78      */
  79     bool isIntercepted() { return natIntercept||tproxyIntercept ;}
  80 };
  81
  82 } // namespace AnyP
  83
  84 #endif
  85