Overriding REDIRECT for certain hosts (SQUID)

Overriding REDIRECT for certain hosts (SQUID)

[Ryan Beisner]

I don't know if anyone else has noticed, but SQUID doesn't treat some
websites very kindly in its http acceleration (transparent proxy). 
Mainly, Microsoft Outlook Webmail (I have a client using it).

[ BTW this is a strange breed of a web based mail system .. it looks
like you're using Outlook, within a webpage, released by MS.  Their
firewall info claims that HTTP is the only protocol in use. ]

I have already configured Squid not to cache that entire domain, and it
doesn't cache it.  I've flushed the cache, then looked at the "All Cache
Objects" SQUID report, to find none at domain XYZZZ.COM.

OK, so how would one turn this rule around into a couple of rules that
redirect port 80 to 3128, *unless* it's to/from "any-host.xyzzz.com" or
"any-host.anotherdomain.com"  etc ?


.......................}SNIP{...........................
$ipt -t nat -A PREROUTING -i $eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
.......................}SNIP{...........................


I realize I could create a rule based on their IP range, but I want the
rule to be based on the domain name -- I haven't yet seen that in
action.  ;}


All help is appreciated!  

TIA

-Ryan Beisner

Re: Overriding REDIRECT for certain hosts (SQUID)

[Cedric Blancher]

Le sam 23/11/2002 à 16:46, Ryan Beisner a écrit :
> OK, so how would one turn this rule around into a couple of rules that
> redirect port 80 to 3128, *unless* it's to/from "any-host.xyzzz.com" or
> "any-host.anotherdomain.com"  etc ?
[Snip]
> I realize I could create a rule based on their IP range, but I want the
> rule to be based on the domain name -- I haven't yet seen that in
> action.  ;}

For now, you just can't, because Netfilter is a _packet_ filter that
juste doesn't know anything about DNS to resolve source or destination
IP.

But, maybe it would be interesting to have a match that could reverse
source or destination IP... But it is still not the case, and could lead
to strange results and particulary flaws if someone could tamper your
DNS system informations.

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
Consultant en sécurité des systèmes et réseaux  - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: Overriding REDIRECT for certain hosts (SQUID)

[Karina]

I had the same problem , and i followed the suggestion from Antony stone
that wrote:

3. Use your existing DNAT rule in the PREROUTING nat chain, but insert some
rules before it which match a destination address using "-d a.b.c.d" and use

the target "-j ACCEPT" so that these packets bypass the DNAT rule.

I did more or less the same...

i use this

IPTABLES -t nat -A PREROUTING -i "myinterface" -p tcp -d ! xxx.xxx.xxx.xxx
--dport 80 -j REDIRECT --to-port 3128 -v

and now the request to the OWA is not passing to squid anymore.

You need to have the IP address of the site using Outlook WebAccess. I don't
know what it's exactly the problem with this service, and in the Microsoft
Web page there's nothing... just a note about troubleshouting the OWA with
the Microsoft Proxy, that basically has the same problems than with squid.

I hope this helps,

karina.


Ryan Beisner wrote:

> I don't know if anyone else has noticed, but SQUID doesn't treat some
> websites very kindly in its http acceleration (transparent proxy).
> Mainly, Microsoft Outlook Webmail (I have a client using it).
>
> [ BTW this is a strange breed of a web based mail system .. it looks
> like you're using Outlook, within a webpage, released by MS.  Their
> firewall info claims that HTTP is the only protocol in use. ]
>
> I have already configured Squid not to cache that entire domain, and it
> doesn't cache it.  I've flushed the cache, then looked at the "All Cache
> Objects" SQUID report, to find none at domain XYZZZ.COM.
>
> OK, so how would one turn this rule around into a couple of rules that
> redirect port 80 to 3128, *unless* it's to/from "any-host.xyzzz.com" or
> "any-host.anotherdomain.com"  etc ?
>
> .......................}SNIP{...........................
> $ipt -t nat -A PREROUTING -i $eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
> .......................}SNIP{...........................
>
> I realize I could create a rule based on their IP range, but I want the
> rule to be based on the domain name -- I haven't yet seen that in
> action.  ;}
>
> All help is appreciated!
>
> TIA
>
> -Ryan Beisner

Re: Overriding REDIRECT for certain hosts (SQUID)

[Filip Sneppe (Cronos)]

On Sat, 2002-11-23 at 16:46, Ryan Beisner wrote:
> 
> I don't know if anyone else has noticed, but SQUID doesn't treat some
> websites very kindly in its http acceleration (transparent proxy). 
> Mainly, Microsoft Outlook Webmail (I have a client using it).
> 
> [ BTW this is a strange breed of a web based mail system .. it looks
> like you're using Outlook, within a webpage, released by MS.  Their
> firewall info claims that HTTP is the only protocol in use. ]
> 

Hi Ryan,

The reason is that MS Exchange 2000 OWA will by default use the 
WebDAV http extension between Internet Explorer (MS refers to this
as a "Rich" client) and the web server. With any other browser 
(MS calls these "Reach clients"), OWA will use basic HTTP without
the flashy GUI.

WebDAV is what makes OWA look like Outlook, with drag and drop 
features e.a.
"Sharepoint Portal Server", another one of their products, also
uses WebDAV.

Now, WebDAV through a proxy like Squid wouldn't be such a big problem
if it wasn't for the extensions that MS built into their version
of the WebDAV protocol ("embrace and extend", anyone ?). Basically,
there are some keywords in their version of the protocol that are
not standard (yet ?). (The situation may have changed - I don't know
how far WebDAV has been standardized yet)

However, it should be easy to remedy your problem. As reported on this
site:

http://www.webdav.org/other/proxy.html

It is possible for from Squid 2.4 onwards to add request methods to
squid via the "extension_methods" configuration directive.

For OWA (~ MS WebDAV) to work, you will at least have to add these
request methods:

BMOVE
BDELETE
BPROPFIND
SEARCH

at the time, one of my colleagues from our Exchange team got all the
"extra" WebDAV commands from an MS engineer - I think those four
cover the extensions. "SEARCH" was really an important one, I think.

Now, at the time (squid 2.4STABLE2), I hadn't heard of the 
"extension_methods" directive, so I looked into the squid 
mailing list archives. There I found an answer from one of
the Squid developers (I think Henrik) that explained how to
add request methods by adding them to some arrays of constants
in src/url.c and src/enums.h. Check the Squid mailing list archives
if you want to find out the details. I recompiled Squid 2.4STABLE2
with this but never got to see if it worked because the client
I was doing this for had already dropped the OWA "rich" functionality
because of memory leak/stability problems on Exchange :-)
It is possible to turn the WebDAV crap off via a registry fix on
the Exchange, iirc.

However, I don't think it's needed to patch the source code anymore
now that there's a "extension_methods" directive.

Better yet, from peeking at the code of Squid-2.5STABLE1, I think
all the important request methods are already in these, like
"SEARCH", "BMOVE", etc.
So basically, with a recent Squid, it should work. What version
of Squid is doing the reverse proxying ?

One other possiblity is that MS has added yet another batch of
WebDAV extensions with an Exchange Service Pack release. In that
case, you will have to dig out a network sniffer and see what 
methods a client is using when he's logging on to OWA....


Wheww, long explanation of something not really netfilter related :-)
Out of curiosity, if someone knows if it's possible to teach Apache
new http request methods ? It would be necessary if one wants to use
Apache as a (reverse) proxy of OWA traffic...

Regards,
Filip