Hongsheng Zhu <[EMAIL PROTECTED]> wrote:
>
> ipfwadm -I -a accept -P tcp -r 3128 192.168.0.31/32 -D any/0 www
>
> I think this will allow all packet from 192.168.0.31 to port 80 of
> destination site being redirected to the port 3128 of my linux.
That is correct.
> Then I started my favorite proxy server 'squid' on my linux, after
> that I tried to browse on 192.168.0.31 for a website
That won't work.
Somehow I just knew that HTTP proxying would come up as a result of
this. I guess I should take some time to explain it. Proxying of HTTP
requests uses a different strategy.
In normal HTTP, the URL is split up into separate units. For instance,
this URL:
http://www.dallas.net/~fox/
When this URL is retrieved by the browser, it is split into two parts:
http://www.dallas.net (where to connect)
/~fox/ (the item to be retrieved)
The first part is used by the browser to determine what machine to
connect to, and what protocol to use. Your browser will look up the IP
address of "www.dallas.net", and then connect on the HTTP port, and send
an HTTP request, something like this:
GET /~fox/ HTTP/1.0
Now, notice this, the URL has the host part removed! The destination
server isn't told what the full URL is; it's only told the item that is
desired from that server. This is standard HTTP, so this is to be
expected.
Now, when you attempt to do transparent proxies of HTTP, it won't work,
but only because of the HTTP protocol itself. When you perform the
transparent forwarding, all traffic is directed to the masq box's local
socket, as is desired, but the browser only sends the latter part of the
URL to connect to, so the proxy server has no idea where to forward the
request! Thus the errors you get.
Now, when a browser is told to use a proxy server, it does not send the
same HTTP request, but one like this:
GET http://www.dallas.net/~fox/ HTTP/1.0
So you see, the proxy server is given the full URL, so it knows where to
connect and send the forwarded request. But, this requires that the
browser know that the request is going to be forwarded, so that it can
send the right request format. If the browser thinks it is connecting
directly, it will not send the full URL, so a Squid proxy will fail.
Thus, transparent proxying does not work with a standard proxy server
such as Squid. Now, Squid could possibly be modified so that it does a
getsockname() call to find out where the browser was trying to connect,
and connect and forward the request there, but as far as I know, it has
no such capability.
I'm not even sure why you want to use transparent proxies in this
manner, really. Why not just tell the browser to use an HTTP proxy and
be done with it?
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut
sometimes known as David DeSimone || butter quite like unrequited love."
http://www.dallas.net/~fox/ || -- Charlie Brown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
