On 10/25/22 10:18 AM, Matus UHLAR - fantomas wrote:
I prefer to explicitly state what one means by transparent because RFC2616 has defined transparent proxy diferently:
I do too. I /thought/ that I was explicitly stating. At least that was my intention.
Aside: That's why I included my working definition. So hopefully you would know what I meant even if I accidentally used the wrong term.
A "transparent proxy" is a proxy that does not modify the request or response beyond what is required for proxy authentication and identification.term "interception proxy" better defines what happens here:Instead, an interception proxy filters or redirects outgoing TCP port 80 packets (and occasionally other common port traffic).
It seems as if I should (re)read RFC 2616 and refine my use of terms.Based on the quoted sections, it seems to me like an intercepting proxy is a superset of a transparent proxy.
Aside: I can see a conceptual way to not modify any of the TCP connection (source & destination IPs & ports) while still actively proxying the traffic. -- I don't know if Squid supports this or not. But I do see conceptually what would be done.
FYI, Intercepting proxy must use measures to avoid host header forgery: https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery https://www.kb.cert.org/vuls/id/435052
I'll have to read those.
squid must find out the original destination IP used and check, while in explicit mode it makes no sense.
I'll have to think about that. Probably more so after reading the links you provided.
Aside: I've long been a fan of and preferred explicit client configuration to use a proxy.
this is a bit different kind of hacks.Generally the SOCKS library know where/how to connect, socks wrappers (like socksify, tsocks, proxychains) are used to make other software use socks proxy even if it does not support it.
Agreed.
and of course socks is generic bidiretional tcp/udp proxy, which makes it possible to implement it near over any kind of communication.
Yes, SOCKS is bidirectional. However, inbound connections through it, e.g. FTP active connections, are time limited. -- At least I'm not aware of any way to have a SOCKS proxy allow inbound traffic indefinitely a la. port forwarding in NAT or SSH remote port forwarding (assuming the real server is the SSH client).
-- Grant. . . . unix || die
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users