doc/admin-guide/configuration/transparent-proxy.en.rst - trafficserver - Git at Google

 .. _transparent-proxy:

 Transparent Proxying
 ********************

 .. Licensed to the Apache Software Foundation (ASF) under one
    or more contributor license agreements.  See the NOTICE file
    distributed with this work for additional information
    regarding copyright ownership.  The ASF licenses this file
    to you under the Apache License, Version 2.0 (the
    "License"); you may not use this file except in compliance
    with the License.  You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing,
    software distributed under the License is distributed on an
    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    KIND, either express or implied.  See the License for the
    specific language governing permissions and limitations
    under the License.

 .. toctree::
    :maxdepth: 2

    transparent-proxy/build.en
    transparent-proxy/bridge.en
    transparent-proxy/router-inline.en
    transparent-proxy/wccp-configuration.en
    transparent-proxy/wccp-service-config.en

 Transparent Proxying is the ability of a proxy (such as ATS) to
 intercept connections between clients and servers without being visible.

 The general network structure that will be used in this documentation is
 shown in the following figure.

 .. figure:: ../../static/images/admin/ats-basic-traffic.png
    :align: center
    :alt: ATS basic traffic flow of Transparent Proxy

    ATS basic traffic flow of Transparent Proxy

 There must be a gateway device through which all network traffic passes
 from the client to the Internet (or external cloud). The gateway is
 responsible for effectively splicing ATS in to selected streams of that
 traffic. Each traffic stream is split in two, with ATS terminating
 both sides. That is, stream green-1, red-2, is split in to the green
 connection and the red connection. Note that ATS may or may not be on
 the gateway system, the redirected traffic can flow over other network
 infrastructure.

 Because ATS uses two connections, transparency can be set independently
 on the client and origin server (Internet / external cloud) side. We
 will define what is generally called "transparent proxy" as two aspects,
 *inbound transparency* and *outbound transparency*.

 Inbound transparency is a proxy that is transparent to connections that
 are inbound to the proxy, i.e. a connection initiated by a client which
 connects to the proxy (green-1). Similarly, outbound transparency is a
 proxy that is transparent to connections that are outbound from the
 proxy, i.e. a connection initiated by the proxy to an origin server
 (red-2).

 In most situations these two types of transparency are combined, but that is
 not required. Traffic Server supports transparency independently on the two
 sides.

 .. important::

     It is critical to note that any transparency requires specialized
     routing and cannot be done solely by configuring ATS. ATS transparency
     also requires support from the Linux kernel and therefore currently only
     works on sufficiently recent Linux kernels that support the following
     features:

     -  TPROXY
     -  POSIX capabilities

     In addition the specialized routing will require using ``iptables`` and
     in some cases ``ebtables``.

 Standard build procedures should work for transparency support but if
 not consult these :ref:`more detailed instructions <building-ats-for-transparency>`.

 Transparency is configured per server port, not globally. This is done
 via the configuration values :ts:cv:`proxy.config.http.server_ports`.
 In addition, :ts:cv:`proxy.config.reverse_proxy.enabled` must be enabled if the
 client side is transparent. That should be fixed in a future patch.

 .. XXX has that been fixed?

 .. XXX revisit section below

 In the first case use the attribute character (replacing the default
 'X')

 **Attribute** **Transparency Style** **Reverse Proxy**

 ``=``
     Full transparency: either

 ``>``
     Inbound (client) transparency: enabled

 ``<``
     Outbound (origin server) transparency: either

 In the outbound transparent case clients must connect directly to ATS
 either through an explicit proxy mechanism or by advertising the IP
 address of the ATS server via DNS as the origin server address.

 Some tested scenarios --

 -  :doc:`transparent-proxy/bridge.en`
 -  :doc:`transparent-proxy/router-inline.en`
 -  :doc:`transparent-proxy/wccp-configuration.en`
	.. _transparent-proxy:

	Transparent Proxying
	********************

	.. Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.

	.. toctree::
	:maxdepth: 2

	transparent-proxy/build.en
	transparent-proxy/bridge.en
	transparent-proxy/router-inline.en
	transparent-proxy/wccp-configuration.en
	transparent-proxy/wccp-service-config.en

	Transparent Proxying is the ability of a proxy (such as ATS) to
	intercept connections between clients and servers without being visible.

	The general network structure that will be used in this documentation is
	shown in the following figure.

	.. figure:: ../../static/images/admin/ats-basic-traffic.png
	:align: center
	:alt: ATS basic traffic flow of Transparent Proxy

	ATS basic traffic flow of Transparent Proxy

	There must be a gateway device through which all network traffic passes
	from the client to the Internet (or external cloud). The gateway is
	responsible for effectively splicing ATS in to selected streams of that
	traffic. Each traffic stream is split in two, with ATS terminating
	both sides. That is, stream green-1, red-2, is split in to the green
	connection and the red connection. Note that ATS may or may not be on
	the gateway system, the redirected traffic can flow over other network
	infrastructure.

	Because ATS uses two connections, transparency can be set independently
	on the client and origin server (Internet / external cloud) side. We
	will define what is generally called "transparent proxy" as two aspects,
	inbound transparency and outbound transparency.

	Inbound transparency is a proxy that is transparent to connections that
	are inbound to the proxy, i.e. a connection initiated by a client which
	connects to the proxy (green-1). Similarly, outbound transparency is a
	proxy that is transparent to connections that are outbound from the
	proxy, i.e. a connection initiated by the proxy to an origin server
	(red-2).

	In most situations these two types of transparency are combined, but that is
	not required. Traffic Server supports transparency independently on the two
	sides.

	.. important::

	It is critical to note that any transparency requires specialized
	routing and cannot be done solely by configuring ATS. ATS transparency
	also requires support from the Linux kernel and therefore currently only
	works on sufficiently recent Linux kernels that support the following
	features:

	- TPROXY
	- POSIX capabilities

	In addition the specialized routing will require using ``iptables`` and
	in some cases ``ebtables``.

	Standard build procedures should work for transparency support but if
	not consult these :ref:`more detailed instructions <building-ats-for-transparency>`.

	Transparency is configured per server port, not globally. This is done
	via the configuration values :ts:cv:`proxy.config.http.server_ports`.
	In addition, :ts:cv:`proxy.config.reverse_proxy.enabled` must be enabled if the
	client side is transparent. That should be fixed in a future patch.

	.. XXX has that been fixed?

	.. XXX revisit section below

	In the first case use the attribute character (replacing the default
	'X')

	Attribute Transparency Style Reverse Proxy

	``=``
	Full transparency: either

	``>``
	Inbound (client) transparency: enabled

	``<``
	Outbound (origin server) transparency: either

	In the outbound transparent case clients must connect directly to ATS
	either through an explicit proxy mechanism or by advertising the IP
	address of the ATS server via DNS as the origin server address.

	Some tested scenarios --

	- :doc:`transparent-proxy/bridge.en`
	- :doc:`transparent-proxy/router-inline.en`
	- :doc:`transparent-proxy/wccp-configuration.en`