p->options.background_ping = 1;
} else if (!strcasecmp(token, "no-digest")) {
p->options.no_digest = 1;
+ } else if (!strcasecmp(token, "no-tproxy")) {
+ p->options.no_tproxy = 1;
} else if (!strcasecmp(token, "multicast-responder")) {
p->options.mcast_responder = 1;
} else if (!strncasecmp(token, "weight=", 7)) {
Can be used by outgoing access controls through the
peername ACL type.
+ no-tproxy Do not use the client-spoof TPROXY support when forwarding
+ requests to this peer. Use normal address selection instead.
+
proxy-only objects fetched from the peer will not be stored locally.
DOC_END
IpAddress outgoing;
unsigned short tos;
-
IpAddress client_addr;
assert(fs);
assert(server_fd == -1);
ctimeout = Config.Timeout.connect;
}
- if (request->flags.spoof_client_ip)
- client_addr = request->client_addr;
+ if (request->flags.spoof_client_ip) {
+ if (!fs->_peer || !fs->_peer->options.no_tproxy)
+ client_addr = request->client_addr;
+ // else no tproxy today ...
+ }
if (ftimeout < 0)
ftimeout = 5;
int flags = COMM_NONBLOCKING;
if (request->flags.spoof_client_ip) {
- flags |= COMM_TRANSPARENT;
+ if (!fs->_peer || !fs->_peer->options.no_tproxy)
+ flags |= COMM_TRANSPARENT;
+ // else no tproxy today ...
}
fd = comm_openex(SOCK_STREAM, IPPROTO_TCP, outgoing, flags, tos, url);
IpAddress
getOutgoingAddr(HttpRequest * request, struct peer *dst_peer)
{
- if (request && request->flags.spoof_client_ip)
- return request->client_addr;
+ if (request && request->flags.spoof_client_ip) {
+ if (!dst_peer || !dst_peer->options.no_tproxy)
+ return request->client_addr;
+ // else no tproxy today ...
+ }
if (!Config.accessList.outgoing_address) {
return IpAddress(); // anything will do.
if (p->options.allow_miss)
storeAppendPrintf(sentry, " allow-miss");
+ if (p->options.no_tproxy)
+ storeAppendPrintf(sentry, " no-tproxy");
+
if (p->max_conn > 0)
storeAppendPrintf(sentry, " max-conn=%d", p->max_conn);