Re: transparent proxy error

[Henrik Nordstrom <hno@xxxxxxxxxxxxxxx>]

Sorry, my memory is very short. Please keep your answers in the correct 
thread...

On Tue, 1 Nov 2005, CsY wrote:

> do you think this?
> # Generated by iptables-save v1.3.1 on Fri Oct 21 15:21:54 2005
> *mangle
> :PREROUTING ACCEPT [2497:834932]
> :INPUT ACCEPT [2477:831704]
> :FORWARD ACCEPT [19:3172]
> :OUTPUT ACCEPT [2598:846827]
> :POSTROUTING ACCEPT [2617:849999]
> COMMIT
> # Completed on Fri Oct 21 15:21:54 2005
> # Generated by iptables-save v1.3.1 on Fri Oct 21 15:21:54 2005
> *nat
> :PREROUTING ACCEPT [6:789]
> :POSTROUTING ACCEPT [74:4434]
> :OUTPUT ACCEPT [69:3693]
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8081 COMMIT
> # Completed on Fri Oct 21 15:21:54 2005
> # Generated by iptables-save v1.3.1 on Fri Oct 21 15:21:54 2005
> *filter
> :INPUT ACCEPT [2477:831704]
> :FORWARD ACCEPT [19:3172]
> :OUTPUT ACCEPT [2598:846827]
> COMMIT
> # Completed on Fri Oct 21 15:21:54 2005
>
> Henrik Nordstrom írta:
> > On Tue, 1 Nov 2005, Senthil Murugan wrote:
> >
> > > the original website that he/she was trying to access. But this time the 
> > > browser will not send the cookie credentials bcos, the is a different 
> > > domain. You explained as, "since the proxy has the full control of the 
> > > traffic passing thru it,  it can play games on the browser and issue 
> > > cookie for all the visited domains". But with this, only the proxy can add 
> > > the credentials but what actually needed is, only the proxy needs the 
> > > credentials from the browser. How come the works or i am not understood 
> > > clearly?
> >
> > There is always the domain of the proxy, to which the browser sends it's 
> > cookies. To transport the session cookie to another domain a double 
> > redirect is used via the proxy domain, temporarily carrying the session 
> > details in an "magic" URL to the visited domain which then issues the 
> > cookie and redirects back to the originally requested page on the same 
> > domain.
> >
> > I have done this kind of solutions for reverse proxies using Squid, and it 
> > is not hard (you only need a HTTP server maintaining the session, and a 
> > little thinking on how to use external acls). Only difficulty wrt doing it 
> > in a forward proxy is that you need to modify the proxy to not forward the 
> > session cookie to the requested site and for this some new Squid 
> > modifications will be needed (i.e. the filtering of the cookie is not 
> > possible with what is available for Squid today)
> >
> > Regards
> > Henrik
> >
> > _____________ NOD32 1.1269 (20051031) Információ _____________
> >
> > Az üzenetet a NOD32 antivirus system megvizsgálta.
> > http://www.nod32.hu