LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-14-2009, 07:48 AM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Rep: Reputation: 30
Transparent proxy


I have a proxy server available for public access. I recently received a question about it saying:
...you proxy on port xxxx is transparent and therefore useless.

I thought transparent proxies were only used inside office networks mainly where browsers didn't have to know anything about the network settings. With this proxy, the browser has to be set up specifically access it on 80 or 8080 and it doesn't pass on the IP address of the user.
 
Old 09-14-2009, 08:45 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
well you've mentioned numerous times that it's transparent, and I've said numerous times that it's generally a bad idea to do it transparently... where did this question come from? What is this proxy actually doing? It may relate to the fact that you can't transparently proxy ssl connections.
 
Old 09-14-2009, 08:49 AM   #3
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by acid_kewpie View Post
well you've mentioned numerous times that it's transparent, and I've said numerous times that it's generally a bad idea to do it transparently... where did this question come from? What is this proxy actually doing? It may relate to the fact that you can't transparently proxy ssl connections.
But it's NOT transparent, users have to enter the proxy details in their browser.
All the proxy does is accept requests and then passes them on with the proxy's IP.
The questions was from a random user, maybe they just think that because it's using port 8080, it's transparent. If it was transparent it would pass on the user's IP, which it doesn't.
Am I misunderstanding something about transparent proxies here?

Last edited by qwertyjjj; 09-14-2009 at 09:35 AM.
 
Old 09-14-2009, 10:33 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
a transparent proxy wouldn't pass on an IP, any normal implementation would still give the IP of the box. Does the config not specify transparent at all then? There are some online proxy testing tools which might show up some things of interest.
 
Old 09-14-2009, 10:40 AM   #5
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by acid_kewpie View Post
a transparent proxy wouldn't pass on an IP, any normal implementation would still give the IP of the box. Does the config not specify transparent at all then? There are some online proxy testing tools which might show up some things of interest.
I don't have any transparent settings in the squid.conf
If I connect to the proxy and then go to what is my IP, it gives me the IP of the proxy.
Maybe the person sending the query got confused as it was a connection to port 8080 ?

The proxy isn't on the same LAN as anyone requesting pages from it so it can't be transparent...or can it?
 
Old 09-20-2009, 03:57 PM   #6
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
So, it's not transparent?
 
Old 09-23-2009, 05:22 PM   #7
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
I just went to:
http://www.hideyouripaddress.net/what_is_my_ip/

and it showed the server IP address but then below that it showed my real IP:
YOUR Proxy
Proxy Type: Transparent, Real IP: 86.xxx.xxx.xx

How is this possible?
 
Old 09-23-2009, 05:26 PM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
you may be adding in headers like X-Forwarded-For. on the server, capture the outbound HTTP requests and show the headers to us. You can do this plenty of ways, I'd probably run tcpdump on the remote server with the -X option to dump the raw data.
 
Old 09-23-2009, 05:27 PM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
http://www.comfsm.fm/computing/squid/FAQ-4.html#ss4.17
 
Old 09-23-2009, 06:23 PM   #10
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Thanks for the link although it's slightly older, I am on v2.6 though squid is now up to 3. However, the example is similar in principle.
I found this in the config:

Code:
#  TAG: header_access
#       Usage: header_access header_name allow|deny [!]aclname ...
#
#       WARNING: Doing this VIOLATES the HTTP standard.  Enabling
#       this feature could make you liable for problems which it
#       causes.
#
#       This option replaces the old 'anonymize_headers' and the
#       older 'http_anonymizer' option with something that is much
#       more configurable. This new method creates a list of ACLs
#       for each header, allowing you very fine-tuned header
#       mangling.
#
#       You can only specify known headers for the header name.
#       Other headers are reclassified as 'Other'. You can also
#       refer to all the headers with 'All'.
#
#       For example, to achieve the same behavior as the old
#       'http_anonymizer standard' option, you should use:
#
#               header_access From deny all
#               header_access Referer deny all
#               header_access Server deny all
#               header_access User-Agent deny all
#               header_access WWW-Authenticate deny all
#               header_access Link deny all
#
#       Or, to reproduce the old 'http_anonymizer paranoid' feature
#       you should use:
 header_access Allow allow all
#               header_access Authorization allow all
#               header_access WWW-Authenticate allow all
#               header_access Proxy-Authorization allow all
#               header_access Proxy-Authenticate allow all
#               header_access Cache-Control allow all
#               header_access Content-Encoding allow all
#               header_access Content-Length allow all
#               header_access Content-Type allow all
#               header_access Date allow all
#               header_access Expires allow all
#               header_access Host allow all
#               header_access If-Modified-Since allow all
#               header_access Last-Modified allow all
#               header_access Location allow all
#               header_access Pragma allow all
#               header_access Accept allow all
#               header_access Accept-Charset allow all
#               header_access Accept-Encoding allow all
#               header_access Accept-Language allow all
#               header_access Content-Language allow all
#               header_access Mime-Version allow all
#               header_access Retry-After allow all
#               header_access Title allow all
#               header_access Connection allow all
#               header_access Proxy-Connection allow all
#               header_access All deny all
#
#       By default, all headers are allowed (no anonymizing is
#       performed).
#
#Default:
# none
I'm not really sure which one to pick.


...and this is my forwarded for
Code:
#  TAG: forwarded_for   on|off
#       If set, Squid will include your system's IP address or name
#       in the HTTP requests it forwards.  By default it looks like
#       this:
#
#               X-Forwarded-For: 192.1.2.3
#
#       If you disable this, it will appear as
#
#               X-Forwarded-For: unknown
#
#Default:
# forwarded_for on

Last edited by qwertyjjj; 09-23-2009 at 06:25 PM.
 
Old 09-23-2009, 06:30 PM   #11
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
I just added this to the conf and restarted but that website still picks up my personal PC's IP.

Code:
header_access From deny all
header_access Referer deny all
header_access Server deny all
header_access User-Agent deny all
header_access WWW-Authenticate deny all
header_access Link deny all
 
Old 09-23-2009, 06:39 PM   #12
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Is it possible that adding the header access tags could slow down the squid server?
Is it necessary for the header access tags to be omitted for complete privacy?
Worried about this part:
# WARNING: Doing this VIOLATES the HTTP standard. Enabling
# this feature could make you liable for problems which it
# causes.
#


I have changed this: # forwarded_for on
to
forwarded_for off
and that seems to stop the IP from being passed through.

Last edited by qwertyjjj; 09-23-2009 at 06:48 PM.
 
Old 09-24-2009, 03:20 AM   #13
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
in theory it can, but for the loads I expect you'd give it, no.

For complete privacy you might want to use something like privoxy instead of squid.
 
Old 09-24-2009, 06:22 PM   #14
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Now Facebook and I presume a lot of other sites present a warning on their landing page saying they can't recognise the browser and therefore it isn't compatible.
I suppose this is the privacy settings?

Would any of these pass over confidential details:
header_access From deny all
header_access Referer deny all
header_access Server deny all
header_access User-Agent deny all
header_access WWW-Authenticate deny all
header_access Link deny all

none of them pass the IP so do they really need to be on?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
what does transparent proxy mean? qwertyjjj Linux - Newbie 5 08-10-2009 05:52 AM
transparent proxy gigaloo15801 Linux - Networking 1 10-02-2007 04:03 PM
transparent proxy in FC 6 lqchangba Linux - Server 1 05-28-2007 09:38 PM
About Transparent proxy shipon_97 Linux - Networking 1 04-19-2006 03:29 PM
Transparent Proxy krock923 Linux - Networking 1 04-28-2005 07:43 PM


All times are GMT -5. The time now is 11:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration