Post Reply 
Proxomitron transparent proxy server
Oct. 10, 2009, 02:40 PM (This post was last modified: Oct. 10, 2009 02:44 PM by wolfgang.)
Post: #1
Proxomitron transparent proxy server
Hi,

I am new to Proxomitron and look for a solution to implement the Proxomitron proxy on a standalone server , but now the but, I would need the Proxomitron to act as a transparent proxy. I want to use a webserver test software via the Proxomitron proxy that proxomitron would add a authentication header to each request of the test software. As the test software does not have the option to configure a proxy server, I would configure the gateway address of the test-server to the IP address of the Proxomitron server.....but that this would work, the Proxomitron would need to act as a transparent proxy. Any idea if this can be somehow configured, or if we could add some other SW to achieve this? A portforwarder is not good enough, because the transparent mode would still need to be configured in Proxomitron. One more thing, my test-server is a Linux virtual machine, so I can not use a proxifier to do the job.

Any help appreciated, Wolfgang
Add Thank You Quote this message in a reply
Oct. 10, 2009, 10:07 PM
Post: #2
RE: Proxomitron transparent proxy server
If you are meaning 'transparent' in the sense that the requesting software isn't aware of the proxy (may not be correct useage of the term), iptables might work for you since you are using Linux. Iptables can redirect the requests. Something like this:

Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

See the iptables man pages:

Quote:REDIRECT

This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets are mapped to the 127.0.0.1 address). It takes one option:
--to-ports port[-port]
This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies -p tcp or -p udp.

or documentation on setting up squid 'transparently' with squid being the 'proxy' for Proxomitron (pun intended). The examples won't be exact, but the principles should mostly be the same.

Sorry if I have misunderstood your request.
Add Thank You Quote this message in a reply
Oct. 11, 2009, 07:43 AM (This post was last modified: Oct. 11, 2009 07:47 AM by wolfgang.)
Post: #3
RE: Proxomitron transparent proxy server
Thanks, exactly, I need to have setup that my test setup is not aware of a proxy config, iptables allows only to redirect the port (port 80 and if needed 443 to proxy port), but then you still have to redirect to a transparent proxy (squid configured as transparent) and configure squid to be transparent proxy. If i do this, I would need to make a proxy chain, go to squid configured as transparent proxy with iptables or a other portforwarder and then chain squid to proxomitron as next proxy to add the http headers (this is what I need). This is be my backup plan, but is not very good solutions because you have to proxy via squid and then proxomitron (complicated and additional delay).
Ideal case would be to use iptables or portforwarder to forward my ports to proxomitron and then configure proxomitron itself in some way to act as transparent proxy......not sure if this is possible....that's my real question. (For example to make squid 'transparent" you have to add in config: http_port 8080 transparent, something similar I would need for proxomitron)

Thanks, Wolfgang
Add Thank You Quote this message in a reply
Oct. 11, 2009, 07:01 PM (This post was last modified: Oct. 11, 2009 07:20 PM by Graycode.)
Post: #4
RE: Proxomitron transparent proxy server
Supporting transparent proxy mode requires being able to support two types of request formats. When used as a normal proxy the scheme and host portion is prefixed to the page request. Otherwise the scheme is not specified and the host header value is not duplicated by browsers.

Some other minor differences exist in headers. An example is that a browser might send "Proxy-Connection:" to a proxy, but send "Connection:" to a direct server. Those headers are for hop-by-hop interpretation, and a transparent proxy is not known to be a hop in the chain.

A normal proxy request looks like:
Code:
GET http://www.example.com/index.html HTTP/1.1
Host: www.example.com
Proxy-Connection: Keep-Alive

A transparent request would look like:
Code:
GET /index.html HTTP/1.1
Host: www.example.com
Connection: Keep-Alive

In order to determine if Proxo can act as a HTTP transparent proxy:
- Telnet into your Proxo TCP port.
- Send it the transparent format, add an empty line after the headers.

If you get back HTML from the example.com server then Proxo can probably be a stand-alone transparent HTTP proxy. If you don't then it will need to be chained to by something else that can provide the proxied formatting.


Processing of HttpS is a major difference. For a proxied request the browser will send:
Code:
CONNECT www.example.com:443 HTTP/1.1
Host: www.example.com

A proxy would connect to that host:port, respond with a "200 OK", and then enter an encryption tunnel between the browser and that server. The CONNECT step exists only when the browser knows it's going through a proxy.

A transparent proxy may not know what to do with the garbage-looking communication. The browser has assumed it's directly connected to the intended port of the host server, yet a transparent proxy might not be able to decypher what was intended.

Proxo has options to be man-in-the-middle for SSL, but I think that's only applicable when given the CONNECT command. It may not work in a transparent fashion without a browser using CONNECT. Maybe Squid will create one and send that in transparent mode (I have no clue, but it seems unlikely).

Good luck, I'll be interested in what you come up with.
Add Thank You Quote this message in a reply
Oct. 11, 2009, 09:28 PM
Post: #5
RE: Proxomitron transparent proxy server
Privoxy can likely handle your limited filtering requirements and has the ability to function in 'transparent' mode (or actually 'interception' mode*):

Code:
accept-intercepted-requests 1

From the privoxy manual:

Quote:Specifies:

Whether intercepted requests should be treated as valid.
Type of value:

0 or 1
Default value:

0
Effect if unset:

Only proxy requests are accepted, intercepted requests are treated as invalid.
Notes:

If you don't trust your clients and want to force them to use Privoxy, enable this option and configure your packet filter to redirect outgoing HTTP connections into Privoxy.

Make sure that Privoxy's own requests aren't redirected as well. Additionally take care that Privoxy can't intentionally connect to itself, otherwise you could run into redirection loops if Privoxy's listening port is reachable by the outside or an attacker has access to the pages you visit.
Examples:

accept-intercepted-requests 1

I have used privoxy on Linux and Windows machines, and I never liked it (I run Proxo in Wine on Linux). Among my dislikes: I don't care for Privoxy's interface for one and it is extremely slow compared to Proxo even with a minimal set of filters running. However, in your very specific case, I might make an exception to get the job done.

I hate to exclude Proxo from your solution, but I don't see how it can be done (without chaining to an additional piece of software) unless there is some super secret code built-in that allows the functionality you seek.

By the way, I'm not sure if you'd really notice a slow-down chaining Proxo with iptables + Squid (even ignoring Squid's caching ability which, it appears, you would not be using). But perhaps a 'stripped' down Proxo-chain alternative might be to use 'transproxy' as the intercepting proxy. It has no other purpose but to intercept HTTP traffic. Whether this actually results in efficiencies over Squid, I don't know, but it seems simple to configure based on limited research, so it might be worth a try.

http://transproxy.sourceforge.net/
Add Thank You Quote this message in a reply
Oct. 12, 2009, 07:27 AM
Post: #6
RE: Proxomitron transparent proxy server
Thanks for all the info. Will report back when I get one of the solutions to work.

Thanks, Wolfgang
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: