RE: [squid-users] Really transparent proxy

From: Facundo Vilarnovo <fvilarnovo@dont-contact.us>
Date: Wed, 16 May 2007 21:02:17 -0300

Colin,
        Thanks a lot for your extensive reply, we were hoping that it would be possible to do a "magical" masquerade, I understand that the one that origins the request to the destination web server was the squid, but I was believing that it would do some kind of "magical" spoofing of the source ip address. We've got offers from bluecoat products, they say that they have a product that can match our requirement.. we were hoping that squid have the same ability.
        Here we have an neighbor ISP, that runs squid proxy servers, with "tproxy" patch, and they could "hide" the squid ip, so when you do a test with any URL the source seems to be the clients ip address. They don't wanna say how they do it.
        I still believe in magic, so I will still investigate how can we do it, even if it means recode the tcp/ip suite.

Regards
Facundo Vilarnovo

-----Mensaje original-----
De: Colin Campbell [mailto:sgcccdc@citec.qld.gov.au]
Enviado el: Miércoles, 16 de Mayo de 2007 08:24 p.m.
Para: Facundo Vilarnovo
CC: zulkarnain; squid-users@squid-cache.org
Asunto: RE: [squid-users] Really transparent proxy

Hi,

On Wed, 2007-05-16 at 16:54 -0300, Facundo Vilarnovo wrote:
> Zul,
> What variables are you referring to? We test setting up the proxy ip on the IE.
> Pointing to port 3128 using http://www.whatsmyipaddress.com, as a result it says it passes the original source ip address (client's ip), but detects a proxy server. Doing totally "transparent" with wccp, nothing configured on IE, we get the same results.
> The point is we are still getting the proxy detected. Using variables like via and XFF, the result of using the XFF and via is that passes the client ip address or don't. it's seems to have nothing to do with the problem of the cache being visible or don't.
>
> Via off XFF off = clients source ip it's shown, proxy detected.
>
> Via on XFF on = clients source ip it's not shown (shows proxy ip), proxy not detected.

There seems to be a fundamental misunderstanding here of what a proxy
actually is and how it works.

When you configure a browser to use a proxy, the browser connects to the
proxy and tells it what URL to fetch. The proxy then makes a connection
to the server and retrieves the data. The server sees the proxy address
because that's who made the connection. If you have XFF set, there's an
HTTP header added to the request that states the request was forwarded
on behalf of the listed IP. The end server can access this information
but the connection to the server is still from the proxy ip, not the
client ip.

When you use WCCP, the router "grabs" the packets and forwards them to
the proxy. The proxy then extracts the information from the packets and
connects to the end server. The end server therefore only sees a
connection from the proxy.

If you use a proxy be it explicitly by configuring the browser or
"transparently" using WCCP or any other method (eg iptables REDIRECT)
the connection is ALWAYS from the proxy to the server. You can never get
a connection at the server end from the client IP if you use a proxy.

Colin

>
> Tnxs!
> Facundo Vilarnovo
>
>
>
>
>
>
> -----Mensaje original-----
> De: zulkarnain [mailto:sizulku@yahoo.com]
> Enviado el: Miércoles, 16 de Mayo de 2007 01:43 a.m.
> Para: Facundo Vilarnovo; squid-users@squid-cache.org
> Asunto: RE: [squid-users] Really transparent proxy
>
> --- Facundo Vilarnovo <fvilarnovo@ertach.com> wrote:
> > Zul, we already do that... it doesn't chance
> > anything :(
> >
> > I don't remember right now how it was but, in option
> > 1 via off, forward off, show that I'm BEHIND a
> > proxy, but show the client ip address. Option 2:
> > Without via and forward doesn't, but shows the squid
> > ip address, instead the clients ip, I don't know if
> > you understand me :(
> >
>
> What proxy variables that excatly said that you are
> behind a proxy server on your testing?
>
> Zul
>
>
>
>
> ____________________________________________________________________________________
> Need Mail bonding?
> Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users.
> http://answers.yahoo.com/dir/?link=list&sid=396546091
>

-- 
Colin Campbell
Unix Support/Postmaster/Hostmaster
Citec
+61 7 3227 6334
Received on Wed May 16 2007 - 18:02:17 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT