RE: [squid-users] Really transparent proxy

Squid users:
        We tried what omero omero suggest; now we got squid2.6.STABLE13, compiled with wccp and tproxy. We also do kernel compilation with tproxy module. Iptables recompilation with tproxy support.
        Now we got squid+wccp+tproxy module working but, some sites like http://www.whatsmyipaddress.com/ shows the client origin ip address (that's correct) and ALSO shows that is behind and PROXY!, any ideas of what can be wrong?, if is needed we may post our configuration file of squid!

Thanxs a lot
Regards
Facundo Vilarnovo

________________________________________
De: Nicolas Royo
Enviado el: Martes, 15 de Mayo de 2007 08:55 p.m.
Para: Facundo Vilarnovo
Asunto: RV: [squid-users] Really transparent proxy
 
?
 

________________________________________
De: omero omero [mailto:hotmadtank@yahoo.com]
Enviado el: lun 07/05/2007 20:45
Para: squid-users@squid-cache.org
Asunto: Re: [squid-users] Really transparent proxy
Hello Nicolas,

I am glad to hear the good news.

I guess that your messages are not reaching squid
users because you are not using simple text messages.

Regards
Omero

--- Nicolas Royo <nroyo@ertach.com> wrote:

> ?
> It Worked perfectly!
> 
> Testing it during whole weekend against 300 clients!
> 
> Thanxs for your help!  glad to be helpfull!
> 
> (now struggling with ip_conntrack: table full,
> dropping packet, but thats another story)
> 
> 
> 
>
> ________________________________
>
> De: omero omero [mailto:hotmadtank@yahoo.com]
> Enviado el: vie 04/05/2007 22:50
> Para: squid-users@squid-cache.org
> Asunto: RE: [squid-users] Really transparent proxy
>
>
>
> Hello Nicolas,
>
> For your own convenience, i have chosen to add the
> following:
>
> If you really want to make your proxy server
> anonymous. You have to know that disabling Via and
> XFF
> is not enough. To explain my point, i will introduce
> you to a header called UserAgent, this is also added
> to the HTTP request but it basicly depends on the
> client side.
>
> So, what is UserAgent? It is a string added which
> contains informaion about the browser type, browser
> version, operating system and other information.
>
> How can an ISP or an internet site detect that you
> are
> behind a proxy using UserAgent? Consider the
> following
> example:
>
> - You have two client computers A & B
> - Computer A: has Windows NT 5.1 and Internet
> explorer
> 6.0 installed on it
> - Computer B: has Windows NT 5.1 and IE 7.0
>
> If the two computers attempt to access the internet
> SIMULTANEOUSLY, the ISP can detect that requests
> with
> different browser version are being transmited.
>
> An ISP can use this method to detect child proxy
> servers.
>
> What can your proxy server do to prevent this?
> Simply
> it must modify UserAgent to one united string. How
> to
> do that in squid? Actually i am a new squid user and
> i
> did not try to find out how. And I don't have much
> time for this. I will leave it to you and other
> squid
> users.
>
> Just While I was typing this message, I received a
> response to my reply from Chris Robertson. Thank you
> Chriss.
>
> He said that even with disabling XFF, XFF will
> contain: Unknown. This will definetly allow the ISP
> to
> detect that a request is behind a proxy server. XFF
> must not be transmitted at all to prevent detection.
>
> You have to find a way to totally remove the XFF and
> Via header. Either by squid or by another proxy
> server.
>
> Another reply from Chris Robertson he said that it
> can
> solved using squid. So read it :). I will read it
> later.
>
> I am using now a proxy server namely Proxy+, it has
> an
> option Anonymous(No XFF, No Via) for HTTP requests.
> XFF and Via will not be sent at all. Again UserAgent
> string is still a problem.
>
> There is another program which gives you the ability
> to modify UserAgent. Its called Foxy.
>
> Its not recommended to modify UserAgent, because
> some
> sites use this header to send you the page code that
> best suits your browser. But if you have are looking
> for making your proxy server completley anonymous,
> you
> have to consider the UserAgent problem.
>
> Tiered of typing :)
> Good Luck
>
> Regards
> Omero
>
>
>
> --- Nicolas Royo <nroyo@ertach.com> wrote:
>
> > Thanxs Omero,
> >
> > I was passively watching closely this steps since
> im
> > working with facundo on implementing a squid-wccp
> on
> > a small ISP on our country.
> >
> > Greetings for the answer, ill be trying them and
> > leting you know if it worked!
> >
> >
> >
> > ________________________________
> >
> > De: omero omero [mailto:hotmadtank@yahoo.com]
> > Enviado el: vie 04/05/2007 20:52
> > Para: squid-users@squid-cache.org
> > Asunto: Re: [squid-users] Really transparent proxy
> >
> >
> >
> > Hello Facundo,
> >
> > I read you message and the replies. I think that
> the
> > replies did not solve your problem. I did not open
> > the
> > links provided, but i read the conclusion which is
> > to
> > deny Via and X-Forwarded-For (XFF). You do not
> need
> > to
> > deny anything. Actually, you need to disable the
> > transmission of Via and XFF. There is a big
> > difference
> > between [denying Via and XFF] and [disabling
> > transmission of Via and XFF]. Denying Via and XFF
> is
> > to deny HTTP requests that comes from a client
> which
> > has a proxy server installed on it (with Via and
> XFF
> > bieng enbaled on that proxy server). You want to
> > prevent internet servers from detecting that your
> > are
> > behind a proxy, therefore you need to disable
> > transmission of Via and XFF.
> >
> > To do that, add the following 2 lines to your
> squid
> > conf file and don't forget to restart the service
> > after you save the file:
> >
> > forwarded_for off
> > via off
> >
> >
> > BUT WAIT, you said that at your server, you did
> not
> > set any proxy and the site you enter is detecting
> > that
> > you are behind a proxy. Actually, this is not
> > related
> > to the squid proxy server installed on your
> server.
> > You get internet from an ISP, and this ISP has a
> > proxy
> > server on it. Right? Sure. The proxy server of
> your
> > ISP will add the Via and XFF. You can't do
> anything
> > about it from your side. You might want to use
> > ANONYMOUS proxy servers that can serve your
> purpose
> > by
> > modifying requests after they are in no more
> > controlled by your ISP. Requests go likes this:
> You
> > --> Your ISP --> Anonymous Proxy server --> Target
> > Site.
> >
> > Regards.
> >
> >
> >
> > --- Adrian Chadd <adrian@creative.net.au> wrote:
> >
> > > On Thu, May 03, 2007, Chris Robertson wrote:
> > > > Facundo Vilarnovo wrote:
> > > > >Hello squid users!
> > > > >   I don't know if there's any post about
> this,
> > > but, maybe not...
> > > > >anyone knows if there's any way for making
> > > transparent the squid for
> > > > >those pages that tells you what its your ip?,
> > for
> > > example, right now I
> > > > >am behind my transparent squid with wccp, and
> > if
> > > I go to any site like
> > > > >http://www.adsl4ever.com/ip/ it tells my ip
> > > address, and also tells me,
> > > > >that I am behind a proxy. Like I say before I
> > > don't have any explicit
> > > > >configuration on my browser that points to
> the
> > > squid.
> > > > >
> > > > >PS: I'd also try another pages like this..
> > > happens the same!
> > > > >
> > > > >
> > > > >Regards
> > > > >Facundo
> > > > >
> > > >
> > > >
> > >
> >
>
http://www.squid-cache.org/mail-archive/squid-users/200604/0013.html
> > > and
> > > > the response at
> > > >
> > >
> >
>
http://www.squid-cache.org/mail-archive/squid-users/200604/0014.html
> > > >
> > > > In short:
> > > >
> > > > header_access Via deny all
> > > > header_access X-Forwarded-For deny all
> > >
> > > And check "TPROXY" and Squid-2.6. Its supported
> in
> > > squid-3, but some features
> > > have yet to be ported.
> > >
> > >
> > >
> > >
> > > Adrian
> > >
> > >
> >
> >
> >
> >
> >
>
____________________________________________________________________________________
> > 8:00? 8:25? 8:40? Find a flick in no time
> > with the Yahoo! Search movie showtime shortcut.
> > http://tools.search.yahoo.com/shortcuts/#news
> >
> >
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com <http://mail.yahoo.com/>
>
>
>

____________________________________________________________________________________
Looking for earth-friendly autos?
Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
http://autos.yahoo.com/green_center/
Received on Tue May 15 2007 - 18:06:03 MDT