Re: [squid-users] Really transparent proxy

From: Chris Robertson <crobertson@dont-contact.us>
Date: Fri, 04 May 2007 16:27:05 -0800

omero omero wrote:
> Hello Facundo,
>
> I read you message and the replies. I think that the
> replies did not solve your problem. I did not open the
> links provided, but i read the conclusion which is to
> deny Via and X-Forwarded-For (XFF).

The commands I listed will deny the TRANSMISSION of the Via and
X-Forwarded-For headers. Read further for more details.

> You do not need to
> deny anything. Actually, you need to disable the
> transmission of Via and XFF.

That's what header_access deny does.

> There is a big difference
> between [denying Via and XFF] and [disabling
> transmission of Via and XFF]. Denying Via and XFF is
> to deny HTTP requests that comes from a client which
> has a proxy server installed on it (with Via and XFF
> bieng enbaled on that proxy server).

No argument. An acl/http_access combo like...

acl req_header Via Via
acl req_header XFF X-Forwarded-For
http_access deny Via
http_access deny XFF

...would block REQUESTS containing said headers. While there might be a
reason for doing so, that's not what I suggested.

> You want to
> prevent internet servers from detecting that your are
> behind a proxy, therefore you need to disable
> transmission of Via and XFF.
>
> To do that, add the following 2 lines to your squid
> conf file and don't forget to restart the service
> after you save the file:
>
> forwarded_for off
> via off
>
>

This will perform the same function, but ONLY for the Squid server it is
set on. "header_access deny" removes preexisting headers as well (so if
set on a parent cache, the headers added by the child cache will also be
removed). Further, the original poster did not specify if they were
using Squid 2.5 or 2.6. The via directive is new with 2.6.
header_access would work with both.

> BUT WAIT, you said that at your server, you did not
> set any proxy and the site you enter is detecting that
> you are behind a proxy.

He stated that he is using WCCP
(http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-3a8820922b612e5efaf516ef043ea4c05e2e4799)
to re-direct web traffic to his Squid server. That alleviates the need
to specify the proxy connection in the browser at the cost of breaking
RFCs (as most/all interception setups do).

Adrian's suggestion of looking into TPROXY was to allow the proxy to
spoof the IP address that traffic would appear to source from, further
hiding the fact that a proxy is in use
(http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-5887c3744368f290e63fda47fd1e4715c9bdbc9b).

> Actually, this is not related
> to the squid proxy server installed on your server.
> You get internet from an ISP, and this ISP has a proxy
> server on it. Right? Sure. The proxy server of your
> ISP will add the Via and XFF. You can't do anything
> about it from your side. You might want to use
> ANONYMOUS proxy servers that can serve your purpose by
> modifying requests after they are in no more
> controlled by your ISP. Requests go likes this: You
> --> Your ISP --> Anonymous Proxy server --> Target
> Site.
>

Given the assumption you made here, this is entirely correct. You'd
need a proxy outside of your ISP's control that would be capable of
removing the ISP supplied Via and XFF headers.

> Regards.
>
>

Hope that clears things up.

Chris
Received on Fri May 04 2007 - 18:27:16 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:04 MDT