Re: [squid-users] transparent proxy error

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 2 Nov 2005 22:29:10 +0100 (CET)

Sorry, my memory is very short. Please keep your answers in the correct
thread...

On Tue, 1 Nov 2005, CsY wrote:

> do you think this?
> # Generated by iptables-save v1.3.1 on Fri Oct 21 15:21:54 2005
> *mangle
> :PREROUTING ACCEPT [2497:834932]
> :INPUT ACCEPT [2477:831704]
> :FORWARD ACCEPT [19:3172]
> :OUTPUT ACCEPT [2598:846827]
> :POSTROUTING ACCEPT [2617:849999]
> COMMIT
> # Completed on Fri Oct 21 15:21:54 2005
> # Generated by iptables-save v1.3.1 on Fri Oct 21 15:21:54 2005
> *nat
> :PREROUTING ACCEPT [6:789]
> :POSTROUTING ACCEPT [74:4434]
> :OUTPUT ACCEPT [69:3693]
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8081 COMMIT
> # Completed on Fri Oct 21 15:21:54 2005
> # Generated by iptables-save v1.3.1 on Fri Oct 21 15:21:54 2005
> *filter
> :INPUT ACCEPT [2477:831704]
> :FORWARD ACCEPT [19:3172]
> :OUTPUT ACCEPT [2598:846827]
> COMMIT
> # Completed on Fri Oct 21 15:21:54 2005
>
> Henrik Nordstrom írta:
>> On Tue, 1 Nov 2005, Senthil Murugan wrote:
>>
>>> the original website that he/she was trying to access. But this time the
>>> browser will not send the cookie credentials bcos, the is a different
>>> domain. You explained as, "since the proxy has the full control of the
>>> traffic passing thru it, it can play games on the browser and issue
>>> cookie for all the visited domains". But with this, only the proxy can add
>>> the credentials but what actually needed is, only the proxy needs the
>>> credentials from the browser. How come the works or i am not understood
>>> clearly?
>>
>> There is always the domain of the proxy, to which the browser sends it's
>> cookies. To transport the session cookie to another domain a double
>> redirect is used via the proxy domain, temporarily carrying the session
>> details in an "magic" URL to the visited domain which then issues the
>> cookie and redirects back to the originally requested page on the same
>> domain.
>>
>> I have done this kind of solutions for reverse proxies using Squid, and it
>> is not hard (you only need a HTTP server maintaining the session, and a
>> little thinking on how to use external acls). Only difficulty wrt doing it
>> in a forward proxy is that you need to modify the proxy to not forward the
>> session cookie to the requested site and for this some new Squid
>> modifications will be needed (i.e. the filtering of the cookie is not
>> possible with what is available for Squid today)
>>
>> Regards
>> Henrik
>>
>> _____________ NOD32 1.1269 (20051031) Információ _____________
>>
>> Az üzenetet a NOD32 antivirus system megvizsgálta.
>> http://www.nod32.hu
>>
>>
>>
>
Received on Wed Nov 02 2005 - 14:29:13 MST

This archive was generated by hypermail pre-2.1.9 : Thu Dec 01 2005 - 12:00:09 MST