From e1f6a6688fa668d9fc32d64add4de329a55fc281 Mon Sep 17 00:00:00 2001 From: Susan Hinrichs Date: Mon, 10 Jan 2022 10:10:13 -0600 Subject: [PATCH 1/3] Fix transparent mode documentation --- .../configuration/transparent-proxy.en.rst | 26 ++++--------------- doc/admin-guide/files/records.config.en.rst | 8 +++--- 2 files changed, 9 insertions(+), 25 deletions(-) diff --git a/doc/admin-guide/configuration/transparent-proxy.en.rst b/doc/admin-guide/configuration/transparent-proxy.en.rst index 31ce623d7e6..70d51cd9ca5 100644 --- a/doc/admin-guide/configuration/transparent-proxy.en.rst +++ b/doc/admin-guide/configuration/transparent-proxy.en.rst @@ -84,32 +84,16 @@ Standard build procedures should work for transparency support but if not consult these :ref:`more detailed instructions `. Transparency is configured per server port, not globally. This is done -via the configuration values :ts:cv:`proxy.config.http.server_ports`. -In addition, :ts:cv:`proxy.config.reverse_proxy.enabled` must be enabled if the -client side is transparent. That should be fixed in a future patch. - -.. XXX has that been fixed? - -.. XXX revisit section below - -In the first case use the attribute character (replacing the default -'X') - -**Attribute** **Transparency Style** **Reverse Proxy** - -``=`` - Full transparency: either - -``>`` - Inbound (client) transparency: enabled - -``<`` - Outbound (origin server) transparency: either +via the configuration values :ts:cv:`proxy.config.http.server_ports`, specifically tr-in, tr-full, and tr-out. In the outbound transparent case clients must connect directly to ATS either through an explicit proxy mechanism or by advertising the IP address of the ATS server via DNS as the origin server address. +The :ts:cv:`proxy.config.http.use_client_target_addr` should also be reviewed when setting up and outbound +transparent scenario. If |TS| has the same DNS as the client, options 1 and 2 can be used. Otherwise, +option 2 must be used. + Some tested scenarios -- - :doc:`transparent-proxy/bridge.en` diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst index a56fdf81d5b..9e142db2fee 100644 --- a/doc/admin-guide/files/records.config.en.rst +++ b/doc/admin-guide/files/records.config.en.rst @@ -1121,10 +1121,10 @@ mptcp in the set of addresses found by the proxy, the request continues to the client specified address, but the result is not cached. ``2`` Enables the feature with no address verification. No DNS processing is - performed. The result is cached (if allowed otherwise). This option is - vulnerable to cache poisoning if an incorrect ``Host`` header is - specified, so this option should be used with extreme caution. See - bug TS-2954 for details. + performed. The result is cached (if allowed otherwise). + This option is vulnerable to cache poisoning if an incorrect ``Host`` header is + specified, so this option should be used with extreme caution if HTTP caching is + enabled. See bug TS-2954 for details. ===== ====================================================================== If all of these conditions are met, then the origin server IP address is From d2b061cd866ec82504eb4873a4ca4578f98f1a97 Mon Sep 17 00:00:00 2001 From: Susan Hinrichs Date: Mon, 10 Jan 2022 11:14:59 -0600 Subject: [PATCH 2/3] Fix doc issues --- doc/admin-guide/configuration/transparent-proxy.en.rst | 4 +++- doc/admin-guide/files/records.config.en.rst | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/admin-guide/configuration/transparent-proxy.en.rst b/doc/admin-guide/configuration/transparent-proxy.en.rst index 70d51cd9ca5..962852491db 100644 --- a/doc/admin-guide/configuration/transparent-proxy.en.rst +++ b/doc/admin-guide/configuration/transparent-proxy.en.rst @@ -1,5 +1,7 @@ .. _transparent-proxy: +.. include:: ../../common.defs + Transparent Proxying ******************** @@ -91,7 +93,7 @@ either through an explicit proxy mechanism or by advertising the IP address of the ATS server via DNS as the origin server address. The :ts:cv:`proxy.config.http.use_client_target_addr` should also be reviewed when setting up and outbound -transparent scenario. If |TS| has the same DNS as the client, options 1 and 2 can be used. Otherwise, +transparent scenario. If |TS| has the same DNS as the client, options 1 and 2 can be used. Otherwise, option 2 must be used. Some tested scenarios -- diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst index 9e142db2fee..29cc8c457d2 100644 --- a/doc/admin-guide/files/records.config.en.rst +++ b/doc/admin-guide/files/records.config.en.rst @@ -1121,9 +1121,9 @@ mptcp in the set of addresses found by the proxy, the request continues to the client specified address, but the result is not cached. ``2`` Enables the feature with no address verification. No DNS processing is - performed. The result is cached (if allowed otherwise). + performed. The result is cached (if allowed otherwise). This option is vulnerable to cache poisoning if an incorrect ``Host`` header is - specified, so this option should be used with extreme caution if HTTP caching is + specified, so this option should be used with extreme caution if HTTP caching is enabled. See bug TS-2954 for details. ===== ====================================================================== From a54e39e47cdb150a73faec73a53d624c4fa80169 Mon Sep 17 00:00:00 2001 From: Susan Hinrichs Date: Tue, 11 Jan 2022 09:10:00 -0600 Subject: [PATCH 3/3] Fix according to Brian's suggestions --- .../configuration/transparent-proxy.en.rst | 21 +++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/doc/admin-guide/configuration/transparent-proxy.en.rst b/doc/admin-guide/configuration/transparent-proxy.en.rst index 962852491db..9f1cfc27af4 100644 --- a/doc/admin-guide/configuration/transparent-proxy.en.rst +++ b/doc/admin-guide/configuration/transparent-proxy.en.rst @@ -1,7 +1,24 @@ -.. _transparent-proxy: +.. Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. .. include:: ../../common.defs +.. _transparent-proxy: + Transparent Proxying ******************** @@ -92,7 +109,7 @@ In the outbound transparent case clients must connect directly to ATS either through an explicit proxy mechanism or by advertising the IP address of the ATS server via DNS as the origin server address. -The :ts:cv:`proxy.config.http.use_client_target_addr` should also be reviewed when setting up and outbound +The :ts:cv:`proxy.config.http.use_client_target_addr` should also be reviewed when setting up an outbound transparent scenario. If |TS| has the same DNS as the client, options 1 and 2 can be used. Otherwise, option 2 must be used.