Transparent proxy failing

Nils Kassube kassube at gmx.net
Sat Mar 24 13:12:12 UTC 2007 

On Friday 23 March 2007 19:49, Bart Silverstrim wrote:
> I have two systems currently set up.
> A is running squid.
> B is running privoxy.
>
> Currently the machine in my network are set up to go through machine
> A as a transparent proxy; the DHCP server hands out the address of
> machine A as the gateway on the network, and A takes requests to port
> 80 and forwards them to port 3180 where squid evaluates the URL for
> whether it should be blocked (SquidGuard) or retrieved then sent back
> to the client.
>
> The squid machine, A, doesn't handle HTTPS blocking.  Just doesn't
> see the requests, period.
>
> So I set up B.  Privoxy can see and block requests to https sites.
>
> I set up B to take a request and forward it to A for "proper"
> filtering while B filters ads, https sites, etc.
>
> Now the map goes:
> client -> privoxy (B) -> gateway filter (A) -> internet
>
> Privoxy (B) has ip_forward set to one.  Privoxy is also running on
> port 80.
>
> If I set the client's gateway address to B's address and then bring
> up a website, it goes right to the website, no filtering.  If I tell
> IE on the client to specifically use the proxy setting of B's ip
> address and port 80 as a proxy, the filtering works, logged and all.
> Obviously, this makes the filtering not very transparent.
>
> Any idea why I can't just use B's address as a gateway and have the
> web traffic seen by the proxy (Privoxy)?

In your setup of machine A, HTTPS is not filtered because, according to 
what you write, it only intercepts packets with destination port 80, 
which happens to be the standard port for HTTP. If you want to handle 
HTTPS you will have to setup a transparent proxy for port 443 which is 
the standard port for HTTPS. However, there may a problem because the 
communication between the client and the external server is encrypted. 
Therefore your proxy can't know the requested URL, which is needed for 
your filter to work.

There seems to be another problem with your transparent proxy though. It 
can ONLY see traffic on the standard port for HTTP. Now what happens if 
the communication doesn't use the standard port 80 but say 8000? Then 
your squid proxy can't filter the URL either because it doesn't see the 
traffic. Maybe there are even other protocols you want to filter (e.g. 
FTP)?

However if you use a non-transparent proxy, the client establishes a link 
to the proxy and requests the URL from the proxy. Now the proxy knows the 
URL to fetch and it can apply the necessary filters. But the content of 
HTTPS requests is still encrypted between client and external server, 
i.e. the proxy can't see the content of the communication. Anyway, the 
client program knows it has to use the proxy for HTTP and HTTPS. 
Therefore it will send all requests to the proxy, not only for the 
standard ports, but also for non-standard ports.

What you need is probably a configuration where there is a non-transparent 
proxy for HTTP and HTTPS (and maybe FTP) on machine A using squid. It may 
be configured on port 80 or any other port - the port number is not 
important but has to be known for the client configuration. Then you can 
keep machine A as gateway. To enforce the use of the proxy, all traffic 
on ports 80 and 443 (except from your proxy) could be blocked using 
iptables.

Finally about machine B as the gateway address: The gateway address is the 
address where all traffic is sent to from the client machine (except for 
hosts on your LAN). The client machine doesn't establish a link to the 
gateway machine but to the external server. Your proxy on port 80 of 
machine B will never see the traffic because it is forwarded to the 
external server (ip_forward is on). Your proxy can only see (and filter) 
the traffic, if the client machine establishes a link to machine B on 
port 80.


Nils

More information about the ubuntu-users mailing list