Update interception documentation and debugging.

Adds better documentation on effects of intercept and tproxy flags.

Alters debugging to clearly log components enabled/disabled on startup and
reconfigure of http(s)_port's using interception flags.

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index f41466343afe95251667b17a5e37481db77f2ed6..3ce9a2c05964e1824d668b61dd8f5720ba9626ee 100644 (file)
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -2935,20 +2935,30 @@ parse_http_port_option(http_port_list * s, char *token)
     } else if (strcmp(token, "transparent") == 0 || strcmp(token, "intercept") == 0) {
         s->intercepted = 1;
         IPInterceptor.StartInterception();
+        /* Log information regarding the port modes under interception. */
+        debugs(3, DBG_IMPORTANT, "Starting Authentication on port " << s->s);
+        debugs(3, DBG_IMPORTANT, "Disabling Authentication on port " << s->s << " (interception enabled)");
+
 #if USE_IPV6
         /* INET6: until transparent REDIRECT works on IPv6 SOCKET, force wildcard to IPv4 */
+        debugs(3, DBG_IMPORTANT, "Disabling IPv6 on port " << s->s << " (interception enabled)");
         if( !s->s.SetIPv4() ) {
-            debugs(3, 0, "http(s)_port: IPv6 addresses cannot be 'transparent' (protocol does not provide NAT)" << s->s );
+            debugs(3, DBG_CRITICAL, "http(s)_port: IPv6 addresses cannot be transparent (protocol does not provide NAT)" << s->s );
             self_destruct();
         }
 #endif
     } else if (strcmp(token, "tproxy") == 0) {
         s->spoof_client_ip = 1;
         IPInterceptor.StartTransparency();
+        /* Log information regarding the port modes under transparency. */
+        debugs(3, DBG_IMPORTANT, "Starting IP Spoofing on port " << s->s);
+        debugs(3, DBG_IMPORTANT, "Disabling Authentication on port " << s->s << " (Ip spoofing enabled)");
+
 #if USE_IPV6
         /* INET6: until target TPROXY is known to work on IPv6 SOCKET, force wildcard to IPv4 */
+        debugs(3, DBG_IMPORTANT, "Disabling IPv6 on port " << s->s << " (interception enabled)");
         if( s->s.IsIPv6() && !s->s.SetIPv4() ) {
-            debugs(3, 0, "http(s)_port: IPv6 addresses cannot be transparent (protocol does not provide NAT)" << s->s );
+            debugs(3, DBG_CRITICAL, "http(s)_port: IPv6 addresses cannot be transparent (protocol does not provide NAT)" << s->s );
             self_destruct();
         }
 #endif

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 172ebe42fce1e86bb8531c77783885a8c134bde3..da98a127f3e49c974c5d3b598f6df47aeb35c10e 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -106,6 +106,8 @@ DOC_START
        proxy as the client then thinks it is talking to an origin server and
        not the proxy. This is a limitation of bending the TCP/IP protocol to
        transparently intercepting port 80, not a limitation in Squid.
+       Ports flagged 'transparent', 'intercept', or 'tproxy' have authentication
+       disabled.
 
        === Parameters for the basic scheme follow. ===
 
@@ -900,9 +902,11 @@ DOC_START
 
           intercept    Support for IP-Layer interception of
                        outgoing requests without browser settings.
+                       NP: disables authentication and IPv6 on the port.
 
           tproxy       Support Linux TPROXY for spoofing outgoing
                        connections using the client IP address.
+                       NP: disables authentication and IPv6 on the port.
 
           accel        Accelerator mode. Also needs at least one of
                        vhost / vport / defaultsite.