Re: Transparent proxying using REDIRECT

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Re: Transparent proxying using REDIRECT
  2003-07-17  6:24 Transparent proxying using REDIRECT Mikko Alutoin
@ 2003-07-17  5:28 ` Arthur Meyer
  2003-07-17  7:22 ` Cedric Blancher
  2003-07-17  7:35 ` Philip Craig
  2 siblings, 0 replies; 4+ messages in thread
From: Arthur Meyer @ 2003-07-17  5:28 UTC (permalink / raw)
  To: netfilter

Hello Mikko

You need to change/add three statements in the squid.conf file:
HTTP-Accel-Host virtual
HTTP-Accel with proxy ON
HTTP-Accel uses Host-Header ON

That should do it
Plus Squid has to be compiled with the directive --enable-linux-netfilter (if 
you use Linux)

Arthur

On Thursday 17 July 2003 08:24, Mikko Alutoin wrote:
> Hi,
>
> I have a question about transparent proxying. Suppose I have the following
> rule in my kernel:
>
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> The purpose of the rule is that all web traffic is captured by a proxy
> listening to a local port. Now the question:
>
> How does the proxy get to know the original destination IP address and
> port? By looking into the HTTP-request, perhaps? If so, what if the
> application protocol (some other than HTTP) does not contain the
> destination URL?
>
> Cheers,
> Mikko

-- 







^ permalink raw reply	[flat|nested] 4+ messages in thread

* Transparent proxying using REDIRECT
@ 2003-07-17  6:24 Mikko Alutoin
  2003-07-17  5:28 ` Arthur Meyer
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Mikko Alutoin @ 2003-07-17  6:24 UTC (permalink / raw)
  To: netfilter

Hi,

I have a question about transparent proxying. Suppose I have the following 
rule in my kernel:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT 
--to-port 3128

The purpose of the rule is that all web traffic is captured by a proxy 
listening to a local port. Now the question:

How does the proxy get to know the original destination IP address and 
port? By looking into the HTTP-request, perhaps? If so, what if the 
application protocol (some other than HTTP) does not contain the 
destination URL?

Cheers,
Mikko

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Transparent proxying using REDIRECT
  2003-07-17  6:24 Transparent proxying using REDIRECT Mikko Alutoin
  2003-07-17  5:28 ` Arthur Meyer
@ 2003-07-17  7:22 ` Cedric Blancher
  2003-07-17  7:35 ` Philip Craig
  2 siblings, 0 replies; 4+ messages in thread
From: Cedric Blancher @ 2003-07-17  7:22 UTC (permalink / raw)
  To: Mikko Alutoin; +Cc: netfilter

Le jeu 17/07/2003 à 08:24, Mikko Alutoin a écrit :
> I have a question about transparent proxying. Suppose I have the following 
> rule in my kernel:
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT 
> --to-port 3128
> The purpose of the rule is that all web traffic is captured by a proxy 
> listening to a local port. Now the question:
> How does the proxy get to know the original destination IP address and 
> port? By looking into the HTTP-request, perhaps? If so, what if the 
> application protocol (some other than HTTP) does not contain the 
> destination URL?

Because clients now use HTTP/1.1, which requests contains destination
host name :

	GET / HTTP/1.1
	host: www.google.com

This is the way name virtual hosts work, and so transparent proxying.

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Transparent proxying using REDIRECT
  2003-07-17  6:24 Transparent proxying using REDIRECT Mikko Alutoin
  2003-07-17  5:28 ` Arthur Meyer
  2003-07-17  7:22 ` Cedric Blancher
@ 2003-07-17  7:35 ` Philip Craig
  2 siblings, 0 replies; 4+ messages in thread
From: Philip Craig @ 2003-07-17  7:35 UTC (permalink / raw)
  To: Mikko Alutoin; +Cc: netfilter

Mikko Alutoin wrote:
> How does the proxy get to know the original destination IP address and 
> port? By looking into the HTTP-request, perhaps? If so, what if the 
> application protocol (some other than HTTP) does not contain the 
> destination URL?

Use SO_ORIGINAL_DST, for example:

getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, &dst_addr, &addrlen);

-- 
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2003-07-17  7:35 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-07-17  6:24 Transparent proxying using REDIRECT Mikko Alutoin
2003-07-17  5:28 ` Arthur Meyer
2003-07-17  7:22 ` Cedric Blancher
2003-07-17  7:35 ` Philip Craig

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox