]>
Commit | Line | Data |
---|---|---|
bbc27441 | 1 | /* |
5b74111a | 2 | * Copyright (C) 1996-2018 The Squid Software Foundation and contributors |
bbc27441 AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
6a25a046 FC |
9 | #ifndef SQUID_ANYP_TRAFFIC_MODE_H |
10 | #define SQUID_ANYP_TRAFFIC_MODE_H | |
11 | ||
12 | namespace AnyP | |
13 | { | |
14 | ||
15 | /** | |
16 | * Set of 'mode' flags defining types of trafic which can be received. | |
17 | * | |
18 | * Use to determine the processing steps which need to be applied | |
19 | * to this traffic under any special circumstances which may apply. | |
20 | */ | |
21 | class TrafficMode | |
22 | { | |
23 | public: | |
ab76e661 | 24 | TrafficMode() : accelSurrogate(false), proxySurrogate(false), natIntercept(false), tproxyIntercept(false), tunnelSslBumping(false) {} |
6a25a046 FC |
25 | TrafficMode(const TrafficMode &rhs) { operator =(rhs); } |
26 | TrafficMode &operator =(const TrafficMode &rhs) { memcpy(this, &rhs, sizeof(TrafficMode)); return *this; } | |
27 | ||
28 | /** marks HTTP accelerator (reverse/surrogate proxy) traffic | |
29 | * | |
30 | * Indicating the following are required: | |
31 | * - URL translation from relative to absolute form | |
32 | * - restriction to origin peer relay recommended | |
33 | */ | |
34 | bool accelSurrogate; | |
35 | ||
00d0ce87 AJ |
36 | /** marks ports receiving PROXY protocol traffic |
37 | * | |
38 | * Indicating the following are required: | |
39 | * - PROXY protocol magic header | |
40 | * - src/dst IP retrieved from magic PROXY header | |
151ba0d4 AJ |
41 | * - indirect client IP trust verification is mandatory |
42 | * - TLS is not supported | |
00d0ce87 AJ |
43 | */ |
44 | bool proxySurrogate; | |
45 | ||
6a25a046 FC |
46 | /** marks NAT intercepted traffic |
47 | * | |
48 | * Indicating the following are required: | |
49 | * - NAT lookups | |
50 | * - URL translation from relative to absolute form | |
51 | * - Same-Origin verification is mandatory | |
52 | * - destination pinning is recommended | |
53 | * - authentication prohibited | |
54 | */ | |
55 | bool natIntercept; | |
56 | ||
57 | /** marks TPROXY intercepted traffic | |
58 | * | |
59 | * Indicating the following are required: | |
60 | * - src/dst IP inversion must be performed | |
61 | * - client IP should be spoofed if possible | |
62 | * - URL translation from relative to absolute form | |
63 | * - Same-Origin verification is mandatory | |
64 | * - destination pinning is recommended | |
65 | * - authentication prohibited | |
66 | */ | |
67 | bool tproxyIntercept; | |
68 | ||
69 | /** marks intercept and decryption of CONNECT (tunnel) SSL traffic | |
70 | * | |
71 | * Indicating the following are required: | |
72 | * - decryption of CONNECT request | |
73 | * - URL translation from relative to absolute form | |
74 | * - authentication prohibited on unwrapped requests (only on the CONNECT tunnel) | |
75 | * - encrypted outbound server connections | |
76 | * - peer relay prohibited. TODO: re-encrypt and re-wrap with CONNECT | |
77 | */ | |
78 | bool tunnelSslBumping; | |
c3d24490 FC |
79 | |
80 | /** true if the traffic is in any way intercepted | |
81 | * | |
82 | */ | |
83 | bool isIntercepted() { return natIntercept||tproxyIntercept ;} | |
6a25a046 FC |
84 | }; |
85 | ||
86 | } // namespace AnyP | |
87 | ||
88 | #endif | |
f53969cc | 89 |