]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/anyp/TrafficMode.h
a18ed955e36edb08fc126ae0d116090844ddb30f
2 * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 #ifndef SQUID_ANYP_TRAFFIC_MODE_H
10 #define SQUID_ANYP_TRAFFIC_MODE_H
16 * Set of 'mode' flags defining types of traffic which can be received.
18 * Use to determine the processing steps which need to be applied
19 * to this traffic under any special circumstances which may apply.
24 /** marks HTTP accelerator (reverse/surrogate proxy) traffic
26 * Indicating the following are required:
27 * - URL translation from relative to absolute form
28 * - restriction to origin peer relay recommended
30 bool accelSurrogate
= false;
32 /** marks ports receiving PROXY protocol traffic
34 * Indicating the following are required:
35 * - PROXY protocol magic header
36 * - src/dst IP retrieved from magic PROXY header
37 * - indirect client IP trust verification is mandatory
38 * - TLS is not supported
40 bool proxySurrogate
= false;
42 /** marks NAT intercepted traffic
44 * Indicating the following are required:
46 * - URL translation from relative to absolute form
47 * - Same-Origin verification is mandatory
48 * - destination pinning is recommended
49 * - authentication prohibited
51 bool natIntercept
= false;
53 /** marks TPROXY intercepted traffic
55 * Indicating the following are required:
56 * - src/dst IP inversion must be performed
57 * - client IP should be spoofed if possible
58 * - URL translation from relative to absolute form
59 * - Same-Origin verification is mandatory
60 * - destination pinning is recommended
61 * - authentication prohibited
63 bool tproxyIntercept
= false;
65 /** marks intercept and decryption of CONNECT (tunnel) SSL traffic
67 * Indicating the following are required:
68 * - decryption of CONNECT request
69 * - URL translation from relative to absolute form
70 * - authentication prohibited on unwrapped requests (only on the CONNECT tunnel)
71 * - encrypted outbound server connections
72 * - peer relay prohibited. TODO: re-encrypt and re-wrap with CONNECT
74 bool tunnelSslBumping
= false;
76 /** true if the traffic is in any way intercepted
79 bool isIntercepted() { return natIntercept
||tproxyIntercept
;}