system-wide proxy configuration

Trent Lloyd wrote:
> On Tue, Oct 25, 2005 at 12:01:49PM +0100, Stephen Shirley wrote:
>>Aye, i considered that approach, but it has problems. Applications that 
>>use ftp can't be transparently proxied.
> 
> A quick apt-cache search turns up 'frox' which has transparent proxy
> support, I haven't tried it, but it may be worth a look.

Interesting app. Had a bit of a job trying to figure out exactly what it 
did, the docs are very vague. The big issue with this is that it will 
only work in the following cases:
1) Direct net connection
2) Http proxy to internet that allows ftp proxying.

I.e. it'll fail if neither of the above is satisfied.

>>Also, that approach fails in the
>>case where there are no proxies around, and direct net connection is
>>available.
> 
> It hardly fails in that case, in that case you drop it out of iptables,
> same as you'd deconfigure a proxy.

Sorry, my bad. I was thinking in the general sense. I.e. if you 
configure an app to use a socks proxy, when there is no socks proxy 
available, even if there is a direct net connection, the setup fails. 
Same goes for ftp or http proxy. Therefore either make sure there's 
always a proxy avaialable (even if it's just faking it, some or all of 
the time) and all clients are configured to use it, or set all clients 
to use no proxy and do transparent proxying. The latter involves some 
tricky application level jiggery pokery (eg. how do you make a normal 
ssh connection go through a socks proxy? how do you make an ftp client 
go through a http proxy (and therefore have to rephrase the request) 
etc). The former is what i'm proposing. The proxy can then be the part 
to re-configure on the fly, as that's what it's written to do. Ah. There 
is a third option, of course: re-write all applications to use some 
clever proxying library that does all of this. In the long run, it would 
be an excellent solution. In the short-to-medium term however i don't 
think it's feasible.

Steve