Enhancement: Source ip acl action

[sts]

We would like to specify the source ip address used for outbound requests in the ACL, so we are able to distinguish internal systems. Would that be an enhancement worth considering?

example:

acl users 10.0.0.0/24
acl managers 10.0.1.0/24
source 172.217.22.110 users
source 172.217.22.111 managers

[andybalholm]

There are lots of things that would be nice to do with the IP addresses for outgoing connections:

• load balancing
• spreading things out so that it's not so much traffic from one IP
• handling the TPROXY situation, where the client IP should be used as the source IP for the outgoing connection
• explicitly selecting the source IP

Supporting any one of them would be doable; supporting all of them as well as the current default behavior sounds pretty tough.

The current behavior is that not only do all client requests go out on the same IP address, but they also share a pool of Keep-Alive connections. This is the best setup for performance, but it is difficult to reconcile with the other options.

[andybalholm]

This is getting closer to being practical now that we're not using a shared pool of Keep-Alive connections.