Re: Transparent proxy + siblings?

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 18 Aug 1998 23:29:54 +0200

Umar Goldeli wrote:
 
> So clients make a request, they're intercepted at the firewall on
> say eth0, then redirected via ipfwadm rules through eth1 to the
> proxy port on the proxy? (and then the proxy goes off and speaks
> to a sibling or whatever)

Not quite. See below. But you are close.

> I don't see where any httpd_accel things should come in?

They do. Or a equivalent piece of software.

What httpd_accel does it to translate the request from a HTTP
request to a HTTP proxy requests. It does this by relying on
two things:
Host: header of the request
The destination IP address of the request.

HTTP 1.0+ Proxy request
--- TCP connection to proxy.isp.net port 3128 ---
GET http://www.server.com/some/path/to/file HTTP/1.0
Host: www.server.com
Accept: */*

-------------------------------------------------
HTTP 1.0+ server request:
--- TCP connection to 11.22.33.44 port 80 ----
GET /some/path/to/file HTTP/1.0
Host: www.server.com
Accept: */*

-------------------------------------------------

HTTP 1.0 Server request
--- TCP connection to 11.22.33.44 port 80 ----
GET /some/path/to/file HTTP/1.0
Accept: */*

-------------------------------------------------

As you see the HTTP requests are a bit different than what a proxy
normally sees, so the process that accepts the redirected traffic
needs to put the available pieces together to find out what really
was requested in a way that proxies can understand.

Port 80, it was http (which is blindly assumed, it is a http proxy)
Host: header can give the intended host name, including possibly Host:
based virtual server.
IP address gives at least a unique server identifier if there was no
Host: header.

> Or is the network layout above not the best way to do it? Or
> am I missing something again? :)

A small fact. ipfwadm can only redirect to a port on the same machine.
Due to this fact you need to run either a small Squid or transproxyd on
the "Firewall".

transproxyd is a separate daemon that accepts a transparently
accelerated HTTP connection, translates it to a proxy request and hands
it off to a configured proxy server.

---
Henrik Nordström
Sparetime Squid Hacker
Received on Tue Aug 18 1998 - 18:12:12 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:41:39 MST