Re: Transparent Proxy Server Installation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: Transparent Proxy Server Installation
From: Julien Pauli <doctorrock83@xxxxxxxxx>
Date: Sat, 25 Jul 2009 23:11:51 +0200
In-reply-to: <553da56d0907221145y4369e502l688801d4b652f494@xxxxxxxxxxxxxx>
Reply-to: users@xxxxxxxxxxxxxxxx

That is the answer, yes.

People must know that there is a main difference between a normal HTTP request, and a request made to a proxy (forward).
The request is not exactly the same.

A standard minimal HTTP request :
GET / HTTP/1.1
Host: somehost

The same one but to a forward proxy :
GET http://somehost HTTP/1.1
Host: somehost

As you can see, the *full* URL is required for the proxy to work as it should (as a forward proxy). That transformation is made internally by all recent user agents when we just tells them we use a proxy, so we dont see that. That's why we can get confused thinking that a proxy request is just a normal request but routed to a different host by the user agent. That's actually wrong, the user agent forges the full path request in the request line.

So, when you act as a transparent proxy (with netfilter/iptables for example) your browsers don't know that fact, they will so emit normal HTTP requests. When Apache's mod_proxy receive them, it wont detect it as a proxy (could some httpd mod_proxy contributors confirm ?)

Squid has a magic function called "transparent" . That function makes it ignore requests that dont have full URLs in the HTTP request line, making it effectively act as transparent. If you dont tell "transparent" to Squid and really act as transparent, it will fails sending back a response like "I dont understand your request (400)".

Cheers

Julien.P

On Wed, Jul 22, 2009 at 8:45 PM, Bob Ionescu <bobsiegen@xxxxxxxxxxxxxx> wrote:

2009/7/22 Brian Kim <09su.research@xxxxxxxxx>:

> It means users must not need to set up the proxy configuration
>
> In that sense, I thought a reverse proxy seems to be the transparent proxy.
>
> Is it right?

IMHO yes. To get such a transparent proxy working with mod_proxy
you'll need to work-around with mod_rewrite since mod_proxy does not
provide a directive like "take the host header and proxy to that
server" (yet) as Nick mentioned.

RewriteEngine on
# using the_request and NE to be safe from unescape/escape
modifications (=unparsed_uri)
RewriteCond %{THE_REQUEST} ^[A-Z]{3,5}\ (/[^?\ ]*)
RewriteRule ^/ http://%{HTTP_HOST}%1 [NE,P]

Bob

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

References:
- Transparent Proxy Server Installation
  - From: Brian Kim
- Re: Transparent Proxy Server Installation
  - From: Nick Kew
- Re: Transparent Proxy Server Installation
  - From: Brian Kim
- Re: Transparent Proxy Server Installation
  - From: Bob Ionescu

Prev by Date: Cron to check that domains are running
Next by Date: Default page location
Previous by thread: Re: Transparent Proxy Server Installation
Next by thread: Re: Transparent Proxy Server Installation
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]

Powered by Linux