On 2015/11/17 22:56, Landry Breuil wrote: > Hi, > > was trying tinyproxy, only to be greeted by 501 codes (not implemented) > - turns out by default the transparent mode is not compile-time enabled, > and i realized this thanks to > https://sanskritfritz.wordpress.com/2010/12/10/whitelist-filter-with-transparent-tinyproxy-and-firehol/ > > Is that on purpose ? Any objections to enable it ? Or as a flavor ? > > Landry >
tinyproxy uses Host: headers for this (it does also support getsockname, but only falls back to this if the Host: header is not present). This is vulnerable to the scenario described in https://www.kb.cert.org/vuls/id/435052 It ought to send the request to the original dest IP, ignoring the Host header for that, and just copying the Host: header across instead as part of the TCP connection. These days I'd probably choose relayd for most things that tinyproxy can do. Quick example of transparent proxy with some filtering at http://www.nmedia.net/chris/url.blacklist.txt though I think it may need updating for relayd from >=5.6. As mentioned in that file, relayd does socket splicing so should have lower overheads than tinyproxy.
