RE: Really transparent proxy

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
27 messages Options
12
Reply | Threaded
Open this post in threaded view
|

RE: Really transparent proxy

Facundo Vilarnovo
Squid users:
        We tried what omero omero suggest; now we got squid2.6.STABLE13, compiled with wccp and tproxy. We also  do kernel compilation with tproxy module. Iptables recompilation with tproxy support.
        Now we got squid+wccp+tproxy module working but, some sites like http://www.whatsmyipaddress.com/ shows the client origin ip address (that's correct) and ALSO shows that is behind and PROXY!, any ideas of what can be wrong?, if is needed we may post our configuration file of squid!

Thanxs a lot
Regards
Facundo Vilarnovo


________________________________________
De: Nicolas Royo
Enviado el: Martes, 15 de Mayo de 2007 08:55 p.m.
Para: Facundo Vilarnovo
Asunto: RV: [squid-users] Really transparent proxy
 
?
 

________________________________________
De: omero omero [mailto:[hidden email]]
Enviado el: lun 07/05/2007 20:45
Para: [hidden email]
Asunto: Re: [squid-users] Really transparent proxy
Hello Nicolas,

I am glad to hear the good news.

I guess that your messages are not reaching squid
users because you are not using simple text messages.

Regards
Omero



--- Nicolas Royo <[hidden email]> wrote:

> ?
> It Worked perfectly!

> Testing it during whole weekend against 300 clients!

> Thanxs for your help!  glad to be helpfull!

> (now struggling with ip_conntrack: table full,
> dropping packet, but thats another story)



>
> ________________________________
>
> De: omero omero [mailto:[hidden email]]
> Enviado el: vie 04/05/2007 22:50
> Para: [hidden email]
> Asunto: RE: [squid-users] Really transparent proxy
>
>
>
> Hello Nicolas,
>
> For your own convenience, i have chosen to add the
> following:
>
> If you really want to make your proxy server
> anonymous. You have to know that disabling Via and
> XFF
> is not enough. To explain my point, i will introduce
> you to a header called UserAgent, this is also added
> to the HTTP request but it basicly depends on the
> client side.
>
> So, what is UserAgent? It is a string added which
> contains informaion about the browser type, browser
> version, operating system and other information.
>
> How can an ISP or an internet site detect that you
> are
> behind a proxy using UserAgent? Consider the
> following
> example:
>
> - You have two client computers A & B
> - Computer A: has Windows NT 5.1 and Internet
> explorer
> 6.0 installed on it
> - Computer B: has Windows NT 5.1 and IE 7.0
>
> If the two computers attempt to access the internet
> SIMULTANEOUSLY, the ISP can detect that requests
> with
> different browser version are being transmited.
>
> An ISP can use this method to detect child proxy
> servers.
>
> What can your proxy server do to prevent this?
> Simply
> it must modify UserAgent to one united string. How
> to
> do that in squid? Actually i am a new squid user and
> i
> did not try to find out how. And I don't have much
> time for this. I will leave it to you and other
> squid
> users.
>
> Just While I was typing this message, I received a
> response to my reply from Chris Robertson. Thank you
> Chriss.
>
> He said that even with disabling XFF, XFF will
> contain: Unknown. This will definetly allow the ISP
> to
> detect that a request is behind a proxy server. XFF
> must not be transmitted at all to prevent detection.
>
> You have to find a way to totally remove the XFF and
> Via header. Either by squid or by another proxy
> server.
>
> Another reply from Chris Robertson he said that it
> can
> solved using squid. So read it :). I will read it
> later.
>
> I am using now a proxy server namely Proxy+, it has
> an
> option Anonymous(No XFF, No Via) for HTTP requests.
> XFF and Via will not be sent at all. Again UserAgent
> string is still a problem.
>
> There is another program which gives you the ability
> to modify UserAgent. Its called Foxy.
>
> Its not recommended to modify UserAgent, because
> some
> sites use this header to send you the page code that
> best suits your browser. But if you have are looking
> for making your proxy server completley anonymous,
> you
> have to consider the UserAgent problem.
>
> Tiered of typing :)
> Good Luck
>
> Regards
> Omero
>
>
>
> --- Nicolas Royo <[hidden email]> wrote:
>
> > Thanxs Omero,
> >
> > I was passively watching closely this steps since
> im
> > working with facundo on implementing a squid-wccp
> on
> > a small ISP on our country.
> >
> > Greetings for the answer, ill be trying them and
> > leting you know if it worked!
> >
> >
> >
> > ________________________________
> >
> > De: omero omero [mailto:[hidden email]]
> > Enviado el: vie 04/05/2007 20:52
> > Para: [hidden email]
> > Asunto: Re: [squid-users] Really transparent proxy
> >
> >
> >
> > Hello Facundo,
> >
> > I read you message and the replies. I think that
> the
> > replies did not solve your problem. I did not open
> > the
> > links provided, but i read the conclusion which is
> > to
> > deny Via and X-Forwarded-For (XFF). You do not
> need
> > to
> > deny anything. Actually, you need to disable the
> > transmission of Via and XFF. There is a big
> > difference
> > between [denying Via and XFF] and [disabling
> > transmission of Via and XFF]. Denying Via and XFF
> is
> > to deny HTTP requests that comes from a client
> which
> > has a proxy server installed on it (with Via and
> XFF
> > bieng enbaled on that proxy server). You want to
> > prevent internet servers from detecting that your
> > are
> > behind a proxy, therefore you need to disable
> > transmission of Via and XFF.
> >
> > To do that, add the following 2 lines to your
> squid
> > conf file and don't forget to restart the service
> > after you save the file:
> >
> > forwarded_for off
> > via off
> >
> >
> > BUT WAIT, you said that at your server, you did
> not
> > set any proxy and the site you enter is detecting
> > that
> > you are behind a proxy. Actually, this is not
> > related
> > to the squid proxy server installed on your
> server.
> > You get internet from an ISP, and this ISP has a
> > proxy
> > server on it. Right? Sure. The proxy server of
> your
> > ISP will add the Via and XFF. You can't do
> anything
> > about it from your side. You might want to use
> > ANONYMOUS proxy servers that can serve your
> purpose
> > by
> > modifying requests after they are in no more
> > controlled by your ISP. Requests go likes this:
> You
> > --> Your ISP --> Anonymous Proxy server --> Target
> > Site.
> >
> > Regards.
> >
> >
> >
> > --- Adrian Chadd <[hidden email]> wrote:
> >
> > > On Thu, May 03, 2007, Chris Robertson wrote:
> > > > Facundo Vilarnovo wrote:
> > > > >Hello squid users!
> > > > >   I don't know if there's any post about
> this,
> > > but, maybe not...
> > > > >anyone knows if there's any way for making
> > > transparent the squid for
> > > > >those pages that tells you what its your ip?,
> > for
> > > example, right now I
> > > > >am behind my transparent squid with wccp, and
> > if
> > > I go to any site like
> > > > >http://www.adsl4ever.com/ip/ it tells my ip
> > > address, and also tells me,
> > > > >that I am behind a proxy. Like I say before I
> > > don't have any explicit
> > > > >configuration on my browser that points to
> the
> > > squid.
> > > > >
> > > > >PS: I'd also try another pages like this..
> > > happens the same!
> > > > >
> > > > >
> > > > >Regards
> > > > >Facundo
> > > > >
> > > >
> > > >
> > >
> >
>
http://www.squid-cache.org/mail-archive/squid-users/200604/0013.html
> > > and
> > > > the response at
> > > >
> > >
> >
>
http://www.squid-cache.org/mail-archive/squid-users/200604/0014.html

> > > >
> > > > In short:
> > > >
> > > > header_access Via deny all
> > > > header_access X-Forwarded-For deny all
> > >
> > > And check "TPROXY" and Squid-2.6. Its supported
> in
> > > squid-3, but some features
> > > have yet to be ported.
> > >
> > >
> > >
> > >
> > > Adrian
> > >
> > >
> >
> >
> >
> >
> >
>
____________________________________________________________________________________

> > 8:00? 8:25? 8:40? Find a flick in no time
> > with the Yahoo! Search movie showtime shortcut.
> > http://tools.search.yahoo.com/shortcuts/#news
> >
> >
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com <http://mail.yahoo.com/>
>
>
>




____________________________________________________________________________________
Looking for earth-friendly autos?
Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
http://autos.yahoo.com/green_center/
Reply | Threaded
Open this post in threaded view
|

Re: Really transparent proxy

Adrian Chadd
On Tue, May 15, 2007, Facundo Vilarnovo wrote:
> Squid users:
> We tried what omero omero suggest; now we got squid2.6.STABLE13, compiled with wccp and tproxy. We also  do kernel compilation with tproxy module. Iptables recompilation with tproxy support.
> Now we got squid+wccp+tproxy module working but, some sites like http://www.whatsmyipaddress.com/ shows the client origin ip address (that's correct) and ALSO shows that is behind and PROXY!, any ideas of what can be wrong?, if is needed we may post our configuration file of squid!
>

Its possible whatsmyipaddress.com is reading the client IP address from the X-Forwarded-For header.
Yes, please share your TPROXY setup!



Adrian

Reply | Threaded
Open this post in threaded view
|

RE: Really transparent proxy

zulkarnain
In reply to this post by Facundo Vilarnovo

--- Facundo Vilarnovo <[hidden email]> wrote:
> Now we got squid+wccp+tproxy module working but,
> some sites like http://www.whatsmyipaddress.com/
> shows the client origin ip address (that's correct)
> and ALSO shows that is behind and PROXY!, any ideas
> of what can be wrong?, if is needed we may post our
> configuration file of squid!
>

Have you turn OFF "via" and "forwarded_for" on your
squid.conf?

-Zul


 
____________________________________________________________________________________
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.
http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php
K K
Reply | Threaded
Open this post in threaded view
|

Re: Really transparent proxy

K K
On 5/15/07, Adrian Chadd <[hidden email]> wrote:
> Its possible whatsmyipaddress.com is reading
> the client IP address from the X-Forwarded-For header.
On 5/15/07, zulkarnain <[hidden email]> wrote:
> Have you turn OFF "via" and "forwarded_for" on your
> squid.conf?

You can confirm which headers are being transmitted by using a
sniffer, or any of dozens of web sites which return the headers from a
request, e.g.:

     http://pgl.yoyo.org/http/browser-headers.php


Kevin
Reply | Threaded
Open this post in threaded view
|

RE: Really transparent proxy

Facundo Vilarnovo
In reply to this post by Facundo Vilarnovo
Here it goes!
#####squid Conf.#####
http_port 3128 tproxy  transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
        acl Safe_ports port 80 # http
        acl Safe_ports port 21 # ftp
        acl Safe_ports port 443 # https
        acl Safe_ports port 70 # gopher
        acl Safe_ports port 210 # wais
        acl Safe_ports port 1025-65535 # unregistered ports
        acl Safe_ports port 280 # http-mgmt
        acl Safe_ports port 488 # gss-http
        acl Safe_ports port 591 # filemaker
        acl Safe_ports port 777 # multiling http
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 0.0.0.0/0.0.0.0
http_access allow our_networks
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname debian-sq
wccp2_router XXX.XXX.XXX.XXX
 wccp_version 4
 wccp2_forwarding_method 1
 wccp2_return_method 1
 wccp2_assignment_method 1
coredump_dir /usr/local/squid/var/cache
###### end of file #####

Here are the Iptables:
squid-RC9:/usr/local/squid/etc# iptables -L -t tproxy
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
TPROXY redirect 0.0.0.0:3128
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
TPROXY redirect 0.0.0.0:80
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
TPROXY redirect 0.0.0.0:80
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
TPROXY redirect 0.0.0.0:3128

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

if any extra info is needed i have no problem to postit!


Thnxs all!!
Facundo Vilarnovo

-----Mensaje original-----
De: zulkarnain [mailto:[hidden email]]
Enviado el: Martes, 15 de Mayo de 2007 11:22 p.m.
Para: Facundo Vilarnovo; [hidden email]
CC: Nicolas Royo
Asunto: RE: [squid-users] Really transparent proxy


--- Facundo Vilarnovo <[hidden email]> wrote:
> Now we got squid+wccp+tproxy module working but,
> some sites like http://www.whatsmyipaddress.com/
> shows the client origin ip address (that's correct)
> and ALSO shows that is behind and PROXY!, any ideas
> of what can be wrong?, if is needed we may post our
> configuration file of squid!
>

Have you turn OFF "via" and "forwarded_for" on your
squid.conf?

-Zul


 
________________________________________________________________________
____________
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.
http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php
Reply | Threaded
Open this post in threaded view
|

RE: Really transparent proxy

Facundo Vilarnovo
In reply to this post by Facundo Vilarnovo
Here it goes!
#####squid Conf.#####
http_port 3128 tproxy  transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
        acl Safe_ports port 80 # http
        acl Safe_ports port 21 # ftp
        acl Safe_ports port 443 # https
        acl Safe_ports port 70 # gopher
        acl Safe_ports port 210 # wais
        acl Safe_ports port 1025-65535 # unregistered ports
        acl Safe_ports port 280 # http-mgmt
        acl Safe_ports port 488 # gss-http
        acl Safe_ports port 591 # filemaker
        acl Safe_ports port 777 # multiling http
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 0.0.0.0/0.0.0.0
http_access allow our_networks
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname debian-sq
wccp2_router y.y.y.y
 wccp_version 4
 wccp2_forwarding_method 1
 wccp2_return_method 1
 wccp2_assignment_method 1
coredump_dir /usr/local/squid/var/cache
###### end of file #####

Here are the Iptables:
squid-RC9:/usr/local/squid/etc# iptables -L -t tproxy Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www TPROXY redirect 0.0.0.0:3128
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www TPROXY redirect 0.0.0.0:80
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www TPROXY redirect 0.0.0.0:80
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www TPROXY redirect 0.0.0.0:3128

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

if any extra info is needed i have no problem to postit!


Thnxs all!!
Facundo Vilarnovo

-----Mensaje original-----
De: Facundo Vilarnovo [mailto:[hidden email]]
Enviado el: Miércoles, 16 de Mayo de 2007 12:26 a.m.
Para: zulkarnain; [hidden email]
CC: Nicolas Royo
Asunto: RE: [squid-users] Really transparent proxy

Here it goes!
#####squid Conf.#####
http_port 3128 tproxy  transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
        acl Safe_ports port 80 # http
        acl Safe_ports port 21 # ftp
        acl Safe_ports port 443 # https
        acl Safe_ports port 70 # gopher
        acl Safe_ports port 210 # wais
        acl Safe_ports port 1025-65535 # unregistered ports
        acl Safe_ports port 280 # http-mgmt
        acl Safe_ports port 488 # gss-http
        acl Safe_ports port 591 # filemaker
        acl Safe_ports port 777 # multiling http
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 0.0.0.0/0.0.0.0
http_access allow our_networks
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname debian-sq
wccp2_router XXX.XXX.XXX.XXX
 wccp_version 4
 wccp2_forwarding_method 1
 wccp2_return_method 1
 wccp2_assignment_method 1
coredump_dir /usr/local/squid/var/cache
###### end of file #####

Here are the Iptables:
squid-RC9:/usr/local/squid/etc# iptables -L -t tproxy
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
TPROXY redirect 0.0.0.0:3128
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
TPROXY redirect 0.0.0.0:80
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
TPROXY redirect 0.0.0.0:80
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
TPROXY redirect 0.0.0.0:3128

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

if any extra info is needed i have no problem to postit!


Thnxs all!!
Facundo Vilarnovo

-----Mensaje original-----
De: zulkarnain [mailto:[hidden email]]
Enviado el: Martes, 15 de Mayo de 2007 11:22 p.m.
Para: Facundo Vilarnovo; [hidden email]
CC: Nicolas Royo
Asunto: RE: [squid-users] Really transparent proxy


--- Facundo Vilarnovo <[hidden email]> wrote:
> Now we got squid+wccp+tproxy module working but,
> some sites like http://www.whatsmyipaddress.com/
> shows the client origin ip address (that's correct)
> and ALSO shows that is behind and PROXY!, any ideas
> of what can be wrong?, if is needed we may post our
> configuration file of squid!
>

Have you turn OFF "via" and "forwarded_for" on your
squid.conf?

-Zul


 
________________________________________________________________________
____________
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.
http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php
Reply | Threaded
Open this post in threaded view
|

Re: Really transparent proxy

Adrian Chadd
In reply to this post by Facundo Vilarnovo
On Wed, May 16, 2007, Facundo Vilarnovo wrote:
> Here it goes!
> #####squid Conf.#####

[snip]
>
> Here are the Iptables:
> squid-RC9:/usr/local/squid/etc# iptables -L -t tproxy

Could you give me the config lines that generate this, just in case?
What about the rest of iptables?

> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination        
> TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
> TPROXY redirect 0.0.0.0:3128
> TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
> TPROXY redirect 0.0.0.0:80
> TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
> TPROXY redirect 0.0.0.0:80
> TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
> TPROXY redirect 0.0.0.0:3128
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination        
>
> if any extra info is needed i have no problem to postit!

I think thats enough to go on. You could try visiting http://www.squid-cache.org/
and then tell me what IP it should be coming from..



Adrian

Reply | Threaded
Open this post in threaded view
|

RE: Really transparent proxy

zulkarnain
In reply to this post by Facundo Vilarnovo
Add this following entry to your squid.conf

via off
forwarded_for off

Regards,
Zul
--- Facundo Vilarnovo <[hidden email]> wrote:

> Here it goes!
> #####squid Conf.#####
> http_port 3128 tproxy  transparent
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> access_log /usr/local/squid/var/logs/access.log
> squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl our_networks src 0.0.0.0/0.0.0.0
> http_access allow our_networks
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> visible_hostname debian-sq
> wccp2_router XXX.XXX.XXX.XXX
>  wccp_version 4
>  wccp2_forwarding_method 1
>  wccp2_return_method 1
>  wccp2_assignment_method 1
> coredump_dir /usr/local/squid/var/cache
> ###### end of file #####
>
> Here are the Iptables:
> squid-RC9:/usr/local/squid/etc# iptables -L -t
> tproxy
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
>        
> TPROXY     tcp  --  anywhere             anywhere  
>         tcp dpt:www
> TPROXY redirect 0.0.0.0:3128
> TPROXY     tcp  --  anywhere             anywhere  
>         tcp dpt:www
> TPROXY redirect 0.0.0.0:80
> TPROXY     tcp  --  anywhere             anywhere  
>         tcp dpt:www
> TPROXY redirect 0.0.0.0:80
> TPROXY     tcp  --  anywhere             anywhere  
>         tcp dpt:www
> TPROXY redirect 0.0.0.0:3128
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>        
>
> if any extra info is needed i have no problem to
> postit!
>
>
> Thnxs all!!
> Facundo Vilarnovo



 
____________________________________________________________________________________
8:00? 8:25? 8:40? Find a flick in no time
with the Yahoo! Search movie showtime shortcut.
http://tools.search.yahoo.com/shortcuts/#news
Reply | Threaded
Open this post in threaded view
|

RE: Really transparent proxy

Facundo Vilarnovo
In reply to this post by Facundo Vilarnovo
Zul, we already do that... it doesn't chance anything :(

I don't remember right now how it was but, in option 1 via off, forward off, show that I'm BEHIND a proxy, but show the client ip address. Option 2: Without via and forward doesn't, but shows the squid ip address, instead the clients ip, I don't know if you understand me :(

But it was something like that :(

Tnxs to all
Facundo Vilarnovo
 

-----Mensaje original-----
De: zulkarnain [mailto:[hidden email]]
Enviado el: Miércoles, 16 de Mayo de 2007 12:55 a.m.
Para: Facundo Vilarnovo; [hidden email]
Asunto: RE: [squid-users] Really transparent proxy

Add this following entry to your squid.conf

via off
forwarded_for off

Regards,
Zul
--- Facundo Vilarnovo <[hidden email]> wrote:

> Here it goes!
> #####squid Conf.#####
> http_port 3128 tproxy  transparent
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> access_log /usr/local/squid/var/logs/access.log
> squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl our_networks src 0.0.0.0/0.0.0.0
> http_access allow our_networks
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> visible_hostname debian-sq
> wccp2_router XXX.XXX.XXX.XXX
>  wccp_version 4
>  wccp2_forwarding_method 1
>  wccp2_return_method 1
>  wccp2_assignment_method 1
> coredump_dir /usr/local/squid/var/cache
> ###### end of file #####
>
> Here are the Iptables:
> squid-RC9:/usr/local/squid/etc# iptables -L -t
> tproxy
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
>        
> TPROXY     tcp  --  anywhere             anywhere  
>         tcp dpt:www
> TPROXY redirect 0.0.0.0:3128
> TPROXY     tcp  --  anywhere             anywhere  
>         tcp dpt:www
> TPROXY redirect 0.0.0.0:80
> TPROXY     tcp  --  anywhere             anywhere  
>         tcp dpt:www
> TPROXY redirect 0.0.0.0:80
> TPROXY     tcp  --  anywhere             anywhere  
>         tcp dpt:www
> TPROXY redirect 0.0.0.0:3128
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>        
>
> if any extra info is needed i have no problem to
> postit!
>
>
> Thnxs all!!
> Facundo Vilarnovo



 
____________________________________________________________________________________
8:00? 8:25? 8:40? Find a flick in no time
with the Yahoo! Search movie showtime shortcut.
http://tools.search.yahoo.com/shortcuts/#news
Reply | Threaded
Open this post in threaded view
|

RE: Really transparent proxy

Facundo Vilarnovo
In reply to this post by Facundo Vilarnovo
Zul, we already do that... it doesn't chance anything :(

I don't remember right now how it was but, in option 1 via off, forward off, show that I'm BEHIND a proxy, but show the client ip address. Option 2: Without via and forward doesn't, but shows the squid ip address, instead the clients ip, I don't know if you understand me :(

But it was something like that :(

Tnxs to all
Facundo Vilarnovo

-----Mensaje original-----
De: Facundo Vilarnovo [mailto:[hidden email]]
Enviado el: Miércoles, 16 de Mayo de 2007 12:50 a.m.
Para: [hidden email]
CC: Nicolas Royo
Asunto: RE: [squid-users] Really transparent proxy

Here it goes!
#####squid Conf.#####
http_port 3128 tproxy  transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
        acl Safe_ports port 80 # http
        acl Safe_ports port 21 # ftp
        acl Safe_ports port 443 # https
        acl Safe_ports port 70 # gopher
        acl Safe_ports port 210 # wais
        acl Safe_ports port 1025-65535 # unregistered ports
        acl Safe_ports port 280 # http-mgmt
        acl Safe_ports port 488 # gss-http
        acl Safe_ports port 591 # filemaker
        acl Safe_ports port 777 # multiling http
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 0.0.0.0/0.0.0.0
http_access allow our_networks
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname debian-sq
wccp2_router y.y.y.y
 wccp_version 4
 wccp2_forwarding_method 1
 wccp2_return_method 1
 wccp2_assignment_method 1
coredump_dir /usr/local/squid/var/cache
###### end of file #####

Here are the Iptables:
squid-RC9:/usr/local/squid/etc# iptables -L -t tproxy Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www TPROXY redirect 0.0.0.0:3128
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www TPROXY redirect 0.0.0.0:80
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www TPROXY redirect 0.0.0.0:80
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www TPROXY redirect 0.0.0.0:3128

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

if any extra info is needed i have no problem to postit!


Thnxs all!!
Facundo Vilarnovo

-----Mensaje original-----
De: Facundo Vilarnovo [mailto:[hidden email]]
Enviado el: Miércoles, 16 de Mayo de 2007 12:26 a.m.
Para: zulkarnain; [hidden email]
CC: Nicolas Royo
Asunto: RE: [squid-users] Really transparent proxy

Here it goes!
#####squid Conf.#####
http_port 3128 tproxy  transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
        acl Safe_ports port 80 # http
        acl Safe_ports port 21 # ftp
        acl Safe_ports port 443 # https
        acl Safe_ports port 70 # gopher
        acl Safe_ports port 210 # wais
        acl Safe_ports port 1025-65535 # unregistered ports
        acl Safe_ports port 280 # http-mgmt
        acl Safe_ports port 488 # gss-http
        acl Safe_ports port 591 # filemaker
        acl Safe_ports port 777 # multiling http
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 0.0.0.0/0.0.0.0
http_access allow our_networks
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname debian-sq
wccp2_router y.y.y.y
 wccp_version 4
 wccp2_forwarding_method 1
 wccp2_return_method 1
 wccp2_assignment_method 1
coredump_dir /usr/local/squid/var/cache
###### end of file #####

Here are the Iptables:
squid-RC9:/usr/local/squid/etc# iptables -L -t tproxy
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
TPROXY redirect 0.0.0.0:3128
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
TPROXY redirect 0.0.0.0:80
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
TPROXY redirect 0.0.0.0:80
TPROXY     tcp  --  anywhere             anywhere            tcp dpt:www
TPROXY redirect 0.0.0.0:3128

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

if any extra info is needed i have no problem to postit!


Thnxs all!!
Facundo Vilarnovo

-----Mensaje original-----
De: zulkarnain [mailto:[hidden email]]
Enviado el: Martes, 15 de Mayo de 2007 11:22 p.m.
Para: Facundo Vilarnovo; [hidden email]
CC: Nicolas Royo
Asunto: RE: [squid-users] Really transparent proxy


--- Facundo Vilarnovo <[hidden email]> wrote:
> Now we got squid+wccp+tproxy module working but,
> some sites like http://www.whatsmyipaddress.com/
> shows the client origin ip address (that's correct)
> and ALSO shows that is behind and PROXY!, any ideas
> of what can be wrong?, if is needed we may post our
> configuration file of squid!
>

Have you turn OFF "via" and "forwarded_for" on your
squid.conf?

-Zul


 
________________________________________________________________________
____________
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.
http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php
Reply | Threaded
Open this post in threaded view
|

RE: Really transparent proxy

zulkarnain
In reply to this post by Facundo Vilarnovo
--- Facundo Vilarnovo <[hidden email]> wrote:

> Zul, we already do that... it doesn't chance
> anything :(
>
> I don't remember right now how it was but, in option
> 1 via off, forward off, show that I'm BEHIND a
> proxy, but show the client ip address. Option 2:
> Without via and forward doesn't, but shows the squid
> ip address, instead the clients ip, I don't know if
> you understand me :(
>

What proxy variables that excatly said that you are
behind a proxy server on your testing?

Zul



 
____________________________________________________________________________________
Need Mail bonding?
Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users.
http://answers.yahoo.com/dir/?link=list&sid=396546091
Reply | Threaded
Open this post in threaded view
|

Re: Really transparent proxy

Henrik Nordström
In reply to this post by Adrian Chadd
ons 2007-05-16 klockan 11:54 +0800 skrev Adrian Chadd:

> I think thats enough to go on. You could try visiting http://www.squid-cache.org/
> and then tell me what IP it should be coming from..

http://devel.squid-cache.org/cgi-bin/test also shows all the interesting
details about the request..

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Really transparent proxy

Facundo Vilarnovo
In reply to this post by Facundo Vilarnovo
Zul,
        What variables are you referring to? We test setting up the proxy ip on the IE.
Pointing to port 3128 using http://www.whatsmyipaddress.com, as a result it says it passes the original source ip address (client's ip), but detects a proxy server. Doing totally "transparent" with wccp, nothing configured on IE, we get the same results.
The point is we are still getting the proxy detected. Using variables like via and XFF, the result of using the XFF and via is that passes the client ip address or don't. it's seems to have nothing to do with the problem of the cache being visible or don't.

Via off XFF off = clients source ip it's shown, proxy detected.

Via on XFF on = clients source ip it's not shown (shows proxy ip), proxy not detected.

Tnxs!
Facundo Vilarnovo

 




-----Mensaje original-----
De: zulkarnain [mailto:[hidden email]]
Enviado el: Miércoles, 16 de Mayo de 2007 01:43 a.m.
Para: Facundo Vilarnovo; [hidden email]
Asunto: RE: [squid-users] Really transparent proxy

--- Facundo Vilarnovo <[hidden email]> wrote:

> Zul, we already do that... it doesn't chance
> anything :(
>
> I don't remember right now how it was but, in option
> 1 via off, forward off, show that I'm BEHIND a
> proxy, but show the client ip address. Option 2:
> Without via and forward doesn't, but shows the squid
> ip address, instead the clients ip, I don't know if
> you understand me :(
>

What proxy variables that excatly said that you are
behind a proxy server on your testing?

Zul



 
____________________________________________________________________________________
Need Mail bonding?
Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users.
http://answers.yahoo.com/dir/?link=list&sid=396546091
Reply | Threaded
Open this post in threaded view
|

Re: Really transparent proxy

Chris Robertson-2
Facundo Vilarnovo wrote:
> Zul,
> What variables are you referring to? We test setting up the proxy ip on the IE.
> Pointing to port 3128 using http://www.whatsmyipaddress.com, as a result it says it passes the original source ip address (client's ip), but detects a proxy server. Doing totally "transparent" with wccp, nothing configured on IE, we get the same results.
> The point is we are still getting the proxy detected. Using variables like via and XFF, the result of using the XFF and via is that passes the client ip address or don't.

While the above is correct...

> it's seems to have nothing to do with the problem of the cache being visible or don't.
>  

...this is not.

> Via off XFF off = clients source ip it's shown, proxy detected.
>  

Makes sense.  You are still transmitting a X-Forwarded-For header.  Just
not populating it with data.

> Via on XFF on = clients source ip it's not shown (shows proxy ip), proxy not detected.
>  

This is a bit of a mystery.  Perhaps the script is being tricked by
having a valid XFF and VIA header which don't agree with the client
source address.

> Tnxs!
> Facundo Vilarnovo
>  

In any case, setting the tag "forwarded_for" to "off" in the squid.conf
file does not prevent its addition by Squid (see
http://www.squid-cache.org/Versions/v2/HEAD/cfgman/forwarded_for.html).  
Setting "via off" only prevents the instance of Squid where it is set
from adding its own Via header.  Try using...

header_access Via deny all
header_access X-Forwarded-For deny all

...and accessing whatsmyipaddress.com.  You might have better luck.

Chris
Reply | Threaded
Open this post in threaded view
|

RE: Really transparent proxy

Facundo Vilarnovo
In reply to this post by Facundo Vilarnovo
Chris,
 
Thanx for your quick answer.
We´ve also tried that, now that you mencion it, we are still trying a few combinations of the following lines.
 
header_access Via deny all / none
header_access X-Forwarded-For deny all / none
via off / on / deny
forwarder_for off / on / deny
 
The best result we´ve got is that is not detecting the proxy server..........but it is still going out with proxy ips.
 
Some conclusion left we are studying are:
 
-Our squid has only one nic, not two like lots of examples here. (eth0 + gre0)
-We are using REDIRECT in iptables instead of nat........has anything to do with that?
-We are trying transparently (not setting proxy con IE) and forcing it.......results are the same i guess?



-----Mensaje original-----
De: Chris Robertson [mailto:[hidden email]]
Enviado el: Miércoles, 16 de Mayo de 2007 05:36 p.m.
Para: [hidden email]
Asunto: Re: [squid-users] Really transparent proxy

Facundo Vilarnovo wrote:
> Zul,
> What variables are you referring to? We test setting up the proxy ip on the IE.
> Pointing to port 3128 using http://www.whatsmyipaddress.com, as a result it says it passes the original source ip address (client's ip), but detects a proxy server. Doing totally "transparent" with wccp, nothing configured on IE, we get the same results.
> The point is we are still getting the proxy detected. Using variables like via and XFF, the result of using the XFF and via is that passes the client ip address or don't.

While the above is correct...

> it's seems to have nothing to do with the problem of the cache being visible or don't.
>  

...this is not.

> Via off XFF off = clients source ip it's shown, proxy detected.
>  

Makes sense.  You are still transmitting a X-Forwarded-For header.  Just
not populating it with data.

> Via on XFF on = clients source ip it's not shown (shows proxy ip), proxy not detected.
>  

This is a bit of a mystery.  Perhaps the script is being tricked by
having a valid XFF and VIA header which don't agree with the client
source address.

> Tnxs!
> Facundo Vilarnovo
>  

In any case, setting the tag "forwarded_for" to "off" in the squid.conf
file does not prevent its addition by Squid (see
http://www.squid-cache.org/Versions/v2/HEAD/cfgman/forwarded_for.html).  
Setting "via off" only prevents the instance of Squid where it is set
from adding its own Via header.  Try using...

header_access Via deny all
header_access X-Forwarded-For deny all

...and accessing whatsmyipaddress.com.  You might have better luck.

Chris
Reply | Threaded
Open this post in threaded view
|

Re: Really transparent proxy

Chris Robertson-2
Facundo Vilarnovo wrote:
> Chris,
>  
> Thanx for your quick answer.
>  

You are welcome, but please don't top-post .  It makes referencing
messages in the archive much more difficult by ruining the flow of a
conversation.

> We´ve also tried that, now that you mencion it, we are still trying a few combinations of the following lines.
>  
> header_access Via deny all / none
> header_access X-Forwarded-For deny all / none
> via off / on / deny
> forwarder_for off / on / deny
>  

Defining "header_access Via deny all" will prevent your Squid from
passing ANY Via headers.  Also specifying "via on" (or "via off") is
superfluous.  Same thing for "header_access X-Forwarded-For deny all".  
Be sure you have not changed the definition of the "all" ACL.  An
earlier post shows it intact.

>  
> The best result we´ve got is that is not detecting the proxy server..........but it is still going out with proxy ips.
>  

I maintain, that is an odd result.

>  
> Some conclusion left we are studying are:
>  
> -Our squid has only one nic, not two like lots of examples here. (eth0 + gre0)
>  

If I'm not mistaken, gre0 is a virtual interface, not a physical one.

> -We are using REDIRECT in iptables instead of nat........has anything to do with that?
>  

It might.  Set the header_access denies I suggested, surf to
http://devel.squid-cache.org/cgi-bin/test with a proxied client and post
the first three lines of the results (source address, via, and forwarded
from).

> -We are trying transparently (not setting proxy con IE) and forcing it.......results are the same i guess?
>  

This shouldn't make a difference in how a website perceives the
traffic.  Just in how the browser requests it.

Chris

Reply | Threaded
Open this post in threaded view
|

RE: Really transparent proxy

Facundo Vilarnovo
In reply to this post by Facundo Vilarnovo
Colin,
        Thanks a lot for your extensive reply, we were hoping that it would be possible to do a "magical" masquerade, I understand that the one that origins the request to the destination web server was the squid, but I was believing that it would do some kind of "magical" spoofing of the source ip address. We've got offers from bluecoat products, they say that they have a product that can match our requirement.. we were hoping that squid have the same ability.
        Here we have an neighbor ISP, that runs squid proxy servers, with "tproxy" patch, and they could "hide" the squid ip, so when you do a test with any URL the source seems to be the clients ip address. They don't wanna say how they do it.
        I still believe in magic, so I will still investigate how can we do it, even if it means recode the tcp/ip suite.

Regards
Facundo Vilarnovo


-----Mensaje original-----
De: Colin Campbell [mailto:[hidden email]]
Enviado el: Miércoles, 16 de Mayo de 2007 08:24 p.m.
Para: Facundo Vilarnovo
CC: zulkarnain; [hidden email]
Asunto: RE: [squid-users] Really transparent proxy

Hi,

On Wed, 2007-05-16 at 16:54 -0300, Facundo Vilarnovo wrote:
> Zul,
> What variables are you referring to? We test setting up the proxy ip on the IE.
> Pointing to port 3128 using http://www.whatsmyipaddress.com, as a result it says it passes the original source ip address (client's ip), but detects a proxy server. Doing totally "transparent" with wccp, nothing configured on IE, we get the same results.
> The point is we are still getting the proxy detected. Using variables like via and XFF, the result of using the XFF and via is that passes the client ip address or don't. it's seems to have nothing to do with the problem of the cache being visible or don't.
>
> Via off XFF off = clients source ip it's shown, proxy detected.
>
> Via on XFF on = clients source ip it's not shown (shows proxy ip), proxy not detected.

There seems to be a fundamental misunderstanding here of what a proxy
actually is and how it works.

When you configure a browser to use a proxy, the browser connects to the
proxy and tells it what URL to fetch. The proxy then makes a connection
to the server and retrieves the data. The server sees the proxy address
because that's who made the connection. If you have XFF set, there's an
HTTP header added to the request that states the request was forwarded
on behalf of the listed IP. The end server can access this information
but the connection to the server is still from the proxy ip, not the
client ip.

When you use WCCP, the router "grabs" the packets and forwards them to
the proxy. The proxy then extracts the information from the packets and
connects to the end server. The end server therefore only sees a
connection from the proxy.

If you use a proxy be it explicitly by configuring the browser or
"transparently" using WCCP or any other method (eg iptables REDIRECT)
the connection is ALWAYS from the proxy to the server. You can never get
a connection at the server end from the client IP if you use a proxy.

Colin

>
> Tnxs!
> Facundo Vilarnovo
>
>  
>
>
>
>
> -----Mensaje original-----
> De: zulkarnain [mailto:[hidden email]]
> Enviado el: Miércoles, 16 de Mayo de 2007 01:43 a.m.
> Para: Facundo Vilarnovo; [hidden email]
> Asunto: RE: [squid-users] Really transparent proxy
>
> --- Facundo Vilarnovo <[hidden email]> wrote:
> > Zul, we already do that... it doesn't chance
> > anything :(
> >
> > I don't remember right now how it was but, in option
> > 1 via off, forward off, show that I'm BEHIND a
> > proxy, but show the client ip address. Option 2:
> > Without via and forward doesn't, but shows the squid
> > ip address, instead the clients ip, I don't know if
> > you understand me :(
> >
>
> What proxy variables that excatly said that you are
> behind a proxy server on your testing?
>
> Zul
>
>
>
>  
> ____________________________________________________________________________________
> Need Mail bonding?
> Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users.
> http://answers.yahoo.com/dir/?link=list&sid=396546091
>
--
Colin Campbell
Unix Support/Postmaster/Hostmaster
Citec
+61 7 3227 6334
Reply | Threaded
Open this post in threaded view
|

RE: Really transparent proxy

Facundo Vilarnovo
In reply to this post by Facundo Vilarnovo
Mistake,
        We achieve passing clients IP trough squid, but the squid remains visible to pages like whatsmyipaddress.com (pages is showing clients ip address, but detects the proxy).

Regards.
Facundo Vilarnovo


-----Mensaje original-----
De: Facundo Vilarnovo [mailto:[hidden email]]
Enviado el: Miércoles, 16 de Mayo de 2007 09:02 p.m.
Para: Colin Campbell
CC: zulkarnain; [hidden email]
Asunto: RE: [squid-users] Really transparent proxy

Colin,
        Thanks a lot for your extensive reply, we were hoping that it would be possible to do a "magical" masquerade, I understand that the one that origins the request to the destination web server was the squid, but I was believing that it would do some kind of "magical" spoofing of the source ip address. We've got offers from bluecoat products, they say that they have a product that can match our requirement.. we were hoping that squid have the same ability.
        Here we have an neighbor ISP, that runs squid proxy servers, with "tproxy" patch, and they could "hide" the squid ip, so when you do a test with any URL the source seems to be the clients ip address. They don't wanna say how they do it.
        I still believe in magic, so I will still investigate how can we do it, even if it means recode the tcp/ip suite.

Regards
Facundo Vilarnovo


-----Mensaje original-----
De: Colin Campbell [mailto:[hidden email]]
Enviado el: Miércoles, 16 de Mayo de 2007 08:24 p.m.
Para: Facundo Vilarnovo
CC: zulkarnain; [hidden email]
Asunto: RE: [squid-users] Really transparent proxy

Hi,

On Wed, 2007-05-16 at 16:54 -0300, Facundo Vilarnovo wrote:
> Zul,
> What variables are you referring to? We test setting up the proxy ip on the IE.
> Pointing to port 3128 using http://www.whatsmyipaddress.com, as a result it says it passes the original source ip address (client's ip), but detects a proxy server. Doing totally "transparent" with wccp, nothing configured on IE, we get the same results.
> The point is we are still getting the proxy detected. Using variables like via and XFF, the result of using the XFF and via is that passes the client ip address or don't. it's seems to have nothing to do with the problem of the cache being visible or don't.
>
> Via off XFF off = clients source ip it's shown, proxy detected.
>
> Via on XFF on = clients source ip it's not shown (shows proxy ip), proxy not detected.

There seems to be a fundamental misunderstanding here of what a proxy
actually is and how it works.

When you configure a browser to use a proxy, the browser connects to the
proxy and tells it what URL to fetch. The proxy then makes a connection
to the server and retrieves the data. The server sees the proxy address
because that's who made the connection. If you have XFF set, there's an
HTTP header added to the request that states the request was forwarded
on behalf of the listed IP. The end server can access this information
but the connection to the server is still from the proxy ip, not the
client ip.

When you use WCCP, the router "grabs" the packets and forwards them to
the proxy. The proxy then extracts the information from the packets and
connects to the end server. The end server therefore only sees a
connection from the proxy.

If you use a proxy be it explicitly by configuring the browser or
"transparently" using WCCP or any other method (eg iptables REDIRECT)
the connection is ALWAYS from the proxy to the server. You can never get
a connection at the server end from the client IP if you use a proxy.

Colin

>
> Tnxs!
> Facundo Vilarnovo
>
>  
>
>
>
>
> -----Mensaje original-----
> De: zulkarnain [mailto:[hidden email]]
> Enviado el: Miércoles, 16 de Mayo de 2007 01:43 a.m.
> Para: Facundo Vilarnovo; [hidden email]
> Asunto: RE: [squid-users] Really transparent proxy
>
> --- Facundo Vilarnovo <[hidden email]> wrote:
> > Zul, we already do that... it doesn't chance
> > anything :(
> >
> > I don't remember right now how it was but, in option
> > 1 via off, forward off, show that I'm BEHIND a
> > proxy, but show the client ip address. Option 2:
> > Without via and forward doesn't, but shows the squid
> > ip address, instead the clients ip, I don't know if
> > you understand me :(
> >
>
> What proxy variables that excatly said that you are
> behind a proxy server on your testing?
>
> Zul
>
>
>
>  
> ____________________________________________________________________________________
> Need Mail bonding?
> Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users.
> http://answers.yahoo.com/dir/?link=list&sid=396546091
>
--
Colin Campbell
Unix Support/Postmaster/Hostmaster
Citec
+61 7 3227 6334
Reply | Threaded
Open this post in threaded view
|

Re: Really transparent proxy

Adrian Chadd
In reply to this post by Facundo Vilarnovo
On Wed, May 16, 2007, Facundo Vilarnovo wrote:
> Colin,
> Thanks a lot for your extensive reply, we were hoping that it would be possible to do a "magical" masquerade, I understand that the one that origins the request to the destination web server was the squid, but I was believing that it would do some kind of "magical" spoofing of the source ip address. We've got offers from bluecoat products, they say that they have a product that can match our requirement.. we were hoping that squid have the same ability.
> Here we have an neighbor ISP, that runs squid proxy servers, with "tproxy" patch, and they could "hide" the squid ip, so when you do a test with any URL the source seems to be the clients ip address. They don't wanna say how they do it.
> I still believe in magic, so I will still investigate how can we do it, even if it means recode the tcp/ip suite.

Squid has that ability starting with Squid-2.6 and TPROXY under Linux.
Its had it for close to a year now.  You use WCCPv2 to redirect traffic
in both directions and not just in one direction. YOu setup TPROXY
rules to redirect traffic that the proxy is intersted in, if it sees
traffic for a non-established connection it fires it back at the router.
It works very well for one Squid proxy and WCCPv2.

I'm happy to set this all up in my lab at home and test it out but
paid work takes precedence over fun (which this, for the most part,
is.)

Tell you what. If people who would like to see full documentation,
kernel packages and such for a fully transparent Squid setup with WCCPv2
then how about ye make some small donations to the Squid project.
If I see enough donations coming in I'll spend a weekend setting this
up in the lab, building a fully transparent environment with Linux,
TPROXY, Squid-2.6, WCCPv2 and some non-official patches to make things
even 'more' transparent, and put it all up on the website.

(ObNote: if people who left squid and went commercial would only come
talk to us first, they may find we'd suddenly have the resources to make
Squid a -whole- lot faster, flexible and easier to use, and they'd save
$100k + a proxy. Hm, guess its not too late to do some marketing electives
at university next semester..)




Adrian

Reply | Threaded
Open this post in threaded view
|

RE: Really transparent proxy

Henrik Nordström
In reply to this post by Facundo Vilarnovo
ons 2007-05-16 klockan 21:21 -0300 skrev Facundo Vilarnovo:
> Mistake,
> We achieve passing clients IP trough squid, but the squid remains visible to pages like whatsmyipaddress.com (pages is showing clients ip address, but detects the proxy).

Please go to http://devel.squid-cache.org/cgi-bin/test and post back the
results here.

Regards
Henrik

signature.asc (316 bytes) Download Attachment
12