/* * Copyright (C) 1996-2017 The Squid Software Foundation and contributors * * Squid software is distributed under GPLv2+ license and includes * contributions from numerous individuals and organizations. * Please see the COPYING and CONTRIBUTORS files for details. */ #ifndef SQUID_ANYP_TRAFFIC_MODE_H #define SQUID_ANYP_TRAFFIC_MODE_H namespace AnyP { /** * Set of 'mode' flags defining types of trafic which can be received. * * Use to determine the processing steps which need to be applied * to this traffic under any special circumstances which may apply. */ class TrafficMode { public: TrafficMode() : accelSurrogate(false), proxySurrogate(false), natIntercept(false), tproxyIntercept(false), tunnelSslBumping(false) {} TrafficMode(const TrafficMode &rhs) { operator =(rhs); } TrafficMode &operator =(const TrafficMode &rhs) { memcpy(this, &rhs, sizeof(TrafficMode)); return *this; } /** marks HTTP accelerator (reverse/surrogate proxy) traffic * * Indicating the following are required: * - URL translation from relative to absolute form * - restriction to origin peer relay recommended */ bool accelSurrogate; /** marks ports receiving PROXY protocol traffic * * Indicating the following are required: * - PROXY protocol magic header * - src/dst IP retrieved from magic PROXY header * - indirect client IP trust verification is mandatory * - TLS is not supported */ bool proxySurrogate; /** marks NAT intercepted traffic * * Indicating the following are required: * - NAT lookups * - URL translation from relative to absolute form * - Same-Origin verification is mandatory * - destination pinning is recommended * - authentication prohibited */ bool natIntercept; /** marks TPROXY intercepted traffic * * Indicating the following are required: * - src/dst IP inversion must be performed * - client IP should be spoofed if possible * - URL translation from relative to absolute form * - Same-Origin verification is mandatory * - destination pinning is recommended * - authentication prohibited */ bool tproxyIntercept; /** marks intercept and decryption of CONNECT (tunnel) SSL traffic * * Indicating the following are required: * - decryption of CONNECT request * - URL translation from relative to absolute form * - authentication prohibited on unwrapped requests (only on the CONNECT tunnel) * - encrypted outbound server connections * - peer relay prohibited. TODO: re-encrypt and re-wrap with CONNECT */ bool tunnelSslBumping; /** true if the traffic is in any way intercepted * */ bool isIntercepted() { return natIntercept||tproxyIntercept ;} }; } // namespace AnyP #endif