Inline on a Linux router

    • The clients are on network 172.28.56.0/24

    • Interface is on the network 192.168.1.0/24

    In this example we will intercept port 80 (HTTP) traffic that traverses the router. The first step is to use iptables to handle IP packets appropriately.

    We mark packets so that we can use policy routing on them. For inbound packets we use TPROXY to make it possible to accept packets sent to foreign IP addresses. For returning outbound packets there will be a socket open bound to the foreign address, we need only force it to be delivered locally. The value for --on-ip is 0 because the target port is listening and not bound to a specific address. The value for --on-port must match the Traffic Server server port. Otherwise its value is arbitrary. --dport and specify the port from the point of view of the clients and origin servers. The middle two lines exempt local web traffic from being marked for Traffic Server – these rules can be tightened or loosened as needed. They server by matching traffic and exiting the iptables processing via ACCEPT before the last line is checked.

    Once the flows are marked we can force them to be delivered locally via the loopback interface via a policy routing table.

    1. ip route add local 0.0.0.0/0 dev lo table 1

    The marking used is arbitrary but it must be consistent between iptables and the routing rule. The table number must be in the range 1..253.

    STRING Default: value from --on-port

    proxy.config.reverse_proxy.enabled

    INT Default: 1

    Default: 0