Re: Transparent proxy failing
- From: Nils Kassube <kassube@xxxxxxx>
- Date: Sat, 24 Mar 2007 14:12:12 +0100
On Friday 23 March 2007 19:49, Bart Silverstrim wrote:
I have two systems currently set up.
A is running squid.
B is running privoxy.
Currently the machine in my network are set up to go through machine
A as a transparent proxy; the DHCP server hands out the address of
machine A as the gateway on the network, and A takes requests to port
80 and forwards them to port 3180 where squid evaluates the URL for
whether it should be blocked (SquidGuard) or retrieved then sent back
to the client.
The squid machine, A, doesn't handle HTTPS blocking. Just doesn't
see the requests, period.
So I set up B. Privoxy can see and block requests to https sites.
I set up B to take a request and forward it to A for "proper"
filtering while B filters ads, https sites, etc.
Now the map goes:
client -> privoxy (B) -> gateway filter (A) -> internet
Privoxy (B) has ip_forward set to one. Privoxy is also running on
port 80.
If I set the client's gateway address to B's address and then bring
up a website, it goes right to the website, no filtering. If I tell
IE on the client to specifically use the proxy setting of B's ip
address and port 80 as a proxy, the filtering works, logged and all.
Obviously, this makes the filtering not very transparent.
Any idea why I can't just use B's address as a gateway and have the
web traffic seen by the proxy (Privoxy)?
In your setup of machine A, HTTPS is not filtered because, according to
what you write, it only intercepts packets with destination port 80,
which happens to be the standard port for HTTP. If you want to handle
HTTPS you will have to setup a transparent proxy for port 443 which is
the standard port for HTTPS. However, there may a problem because the
communication between the client and the external server is encrypted.
Therefore your proxy can't know the requested URL, which is needed for
your filter to work.
There seems to be another problem with your transparent proxy though. It
can ONLY see traffic on the standard port for HTTP. Now what happens if
the communication doesn't use the standard port 80 but say 8000? Then
your squid proxy can't filter the URL either because it doesn't see the
traffic. Maybe there are even other protocols you want to filter (e.g.
FTP)?
However if you use a non-transparent proxy, the client establishes a link
to the proxy and requests the URL from the proxy. Now the proxy knows the
URL to fetch and it can apply the necessary filters. But the content of
HTTPS requests is still encrypted between client and external server,
i.e. the proxy can't see the content of the communication. Anyway, the
client program knows it has to use the proxy for HTTP and HTTPS.
Therefore it will send all requests to the proxy, not only for the
standard ports, but also for non-standard ports.
What you need is probably a configuration where there is a non-transparent
proxy for HTTP and HTTPS (and maybe FTP) on machine A using squid. It may
be configured on port 80 or any other port - the port number is not
important but has to be known for the client configuration. Then you can
keep machine A as gateway. To enforce the use of the proxy, all traffic
on ports 80 and 443 (except from your proxy) could be blocked using
iptables.
Finally about machine B as the gateway address: The gateway address is the
address where all traffic is sent to from the client machine (except for
hosts on your LAN). The client machine doesn't establish a link to the
gateway machine but to the external server. Your proxy on port 80 of
machine B will never see the traffic because it is forwarded to the
external server (ip_forward is on). Your proxy can only see (and filter)
the traffic, if the client machine establishes a link to machine B on
port 80.
Nils
--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
- References:
- Transparent proxy failing
- From: Bart Silverstrim
- Transparent proxy failing
- Prev by Date: Re: Installing from Kubuntu Disk
- Next by Date: Feisty networking issues
- Previous by thread: Transparent proxy failing
- Next by thread: Is the Intel Pentium D 950 a 64 bit processor?
- Index(es):
Relevant Pages
|
