Transparent proxy
I have a proxy server available for public access. I recently received a question about it saying:
...you proxy on port xxxx is transparent and therefore useless. I thought transparent proxies were only used inside office networks mainly where browsers didn't have to know anything about the network settings. With this proxy, the browser has to be set up specifically access it on 80 or 8080 and it doesn't pass on the IP address of the user. |
well you've mentioned numerous times that it's transparent, and I've said numerous times that it's generally a bad idea to do it transparently... where did this question come from? What is this proxy actually doing? It may relate to the fact that you can't transparently proxy ssl connections.
|
Quote:
All the proxy does is accept requests and then passes them on with the proxy's IP. The questions was from a random user, maybe they just think that because it's using port 8080, it's transparent. If it was transparent it would pass on the user's IP, which it doesn't. Am I misunderstanding something about transparent proxies here? |
a transparent proxy wouldn't pass on an IP, any normal implementation would still give the IP of the box. Does the config not specify transparent at all then? There are some online proxy testing tools which might show up some things of interest.
|
Quote:
If I connect to the proxy and then go to what is my IP, it gives me the IP of the proxy. Maybe the person sending the query got confused as it was a connection to port 8080 ? The proxy isn't on the same LAN as anyone requesting pages from it so it can't be transparent...or can it? |
So, it's not transparent?
|
I just went to:
http://www.hideyouripaddress.net/what_is_my_ip/ and it showed the server IP address but then below that it showed my real IP: YOUR Proxy Proxy Type: Transparent, Real IP: 86.xxx.xxx.xx How is this possible? |
you may be adding in headers like X-Forwarded-For. on the server, capture the outbound HTTP requests and show the headers to us. You can do this plenty of ways, I'd probably run tcpdump on the remote server with the -X option to dump the raw data.
|
|
Thanks for the link although it's slightly older, I am on v2.6 though squid is now up to 3. However, the example is similar in principle.
I found this in the config: Code:
# TAG: header_access ...and this is my forwarded for Code:
|
I just added this to the conf and restarted but that website still picks up my personal PC's IP.
Code:
header_access From deny all |
Is it possible that adding the header access tags could slow down the squid server?
Is it necessary for the header access tags to be omitted for complete privacy? Worried about this part: # WARNING: Doing this VIOLATES the HTTP standard. Enabling # this feature could make you liable for problems which it # causes. # I have changed this: # forwarded_for on to forwarded_for off and that seems to stop the IP from being passed through. |
in theory it can, but for the loads I expect you'd give it, no.
For complete privacy you might want to use something like privoxy instead of squid. |
Now Facebook and I presume a lot of other sites present a warning on their landing page saying they can't recognise the browser and therefore it isn't compatible.
I suppose this is the privacy settings? Would any of these pass over confidential details: header_access From deny all header_access Referer deny all header_access Server deny all header_access User-Agent deny all header_access WWW-Authenticate deny all header_access Link deny all none of them pass the IP so do they really need to be on? |
All times are GMT -5. The time now is 09:29 AM. |