[squid-users] Re: source address ip spoofing
Hi Amos, You're right. That was the reason of my question here. I thought maybe there is a way to do it and I don't see it. The drive behind this question is related to the illegal activities that some users can perform behind the proxy coverage. We wanted to avoid storage of access logs but keep the network design we use now. Thank you for all the details and the help, Julian -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/source-address-ip-spoofing-tp4667417p4667461.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: source address ip spoofing
Hi Amos, Thank you for the direction provided. If I understand right, with the right configuration that can delete the source IP from the header... it can be done. Thanks again, Julian -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/source-address-ip-spoofing-tp4667417p4667419.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: source address ip spoofing
Hi Amos, We turned off X-Forwarded-For/Via headers and the effect was quite opposite we expected :( Now if a host checks What is my IP? against any online website it shows only the IP address of the Proxy Server. What we want is exactly the opposite. When a host checks their IP we want them to see their own IP with no show of the Proxy Server IP. This way we don't have to log the hosts access because they will identify to any Internet Server with their own IP. We don't want our users to hide behind Proxy IP. Would this be possible when using wpad redirection? Is there a way to make Squid completely spoof source IP and become transparent for the users? Thank you for your help, Julian -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/source-address-ip-spoofing-tp4667417p4667436.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: source address ip spoofing
Hey Julian, I think you do not understand couple things. When you use a proxy in a Forward mode which is configured in the clients browser using wpad.dat, there is no means to SPOOF their IP. There is indeed a way to do it but it also depends on many factors which in your case I suspect you cannot meet. The IP address which sites shows is only depends on their own scripts and way to look at the requests. The basic way is to show only the src IP of the machine such as the proxy. There is a way to detect a x_forward_for header and to show this but nobody in the real world will use this header as a src IP in his tests if he is sane. For example if this LAN network(if I understood right) has a segment of 192.168.0.0/24 and the internet server will show the real client ip as 192.168.0.100(example) it is a lie from his point of view and from the internet point of view. Also in this case there is no way to spoof this address since it's a local network address space which do not exists on the internet. Hope it explained the basic issue. Eliezer On 08/28/2014 08:51 PM, Julian wrote: Hi Amos, We turned off X-Forwarded-For/Via headers and the effect was quite opposite we expected:( Now if a host checks What is my IP? against any online website it shows only the IP address of the Proxy Server. What we want is exactly the opposite. When a host checks their IP we want them to see their own IP with no show of the Proxy Server IP. This way we don't have to log the hosts access because they will identify to any Internet Server with their own IP. We don't want our users to hide behind Proxy IP. Would this be possible when using wpad redirection? Is there a way to make Squid completely spoof source IP and become transparent for the users? Thank you for your help, Julian
[squid-users] Re: source address ip spoofing
Hi Eliezer, I understand what you say, but we use external IPs for our network hosts (nothing in 192.168.x.x range). What I need is to direct the traffic to our proxy using the wpad mechanism (which works just fine for us) but to make our proxy completely transparent to external destinations. I think TPROXY Squid might be a way to do it, but we only use Squid 2.7 now. We want to keep running with our Proxy in the same deployment scenario, except that we need external Internet destinations to see the requests coming from our hosts IP(s) instead of our Proxy. Thank you for your insights, Julian -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/source-address-ip-spoofing-tp4667417p4667440.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: source address ip spoofing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 29/08/2014 11:09 a.m., Julian wrote: Hi Eliezer, I understand what you say, but we use external IPs for our network hosts (nothing in 192.168.x.x range). How is any of the software along the HTTP traffic route supposed to know that? What I need is to direct the traffic to our proxy using the wpad mechanism (which works just fine for us) but to make our proxy completely transparent to external destinations. I think TPROXY Squid might be a way to do it, but we only use Squid 2.7 now. The IP spoofed by TPROXY is the IP received on the TCP packets, it is not necessarily the end users IP. TPROXY is also incompatible with manual and WPAD configuration. TPROXY traffic has CVE-2009-0801 security checks applied to it, which on explicitly configured proxy traffic will lead to infinite forwarding loops as the proxy transparently relays to its own IP. Going back to your original post there are two incorrect statements which may be confusing you... 1) Proxy Auto-Discovery on our users browsers is able to get activated by a wpad.dat file which transparently redirects our users HTTP requests to our Proxy Server. WPAD is sometimes called transparent configuration. Emphasis on configuration. There is no redirect happening at all, anywhere. The client software is explicitly using Automatic Discovery (the __AD) to locate the proxy it is going to tranfer through without the user having to do anything. The way our Proxy Server works now is by hiding the IP address of users getting directed to our machine. What the proxy does is called Application Layer Gateway. From the outside it looks a bit like what NAT does, the TCP layer IP:port address changes to one for the gateway service (aka Squid) so that TCP reply packets are able to return to the proxy. What you want is just not possible at all with Squid-2.7 and unlikely to be possible with any newer release either. Consider what happens when the proxy generates a new connection: TCP SYN packets with the client IP on them ... the TCP SYN-ACK packets get sent straight back to that client IP ... then what? connection hangs. We want to keep running with our Proxy in the same deployment scenario, except that we need external Internet destinations to see the requests coming from our hosts IP(s) instead of our Proxy. HTTP is designed to operate with multiple intermediaries in similar ways to how SMTP and DNS operate with proxies/relays/recursive-resolver. The X-Forwarded-For header(**) is how HTTP relays details about the *sequence* of client IPs which are used to reach the origin server. http://tools.ietf.org/html/rfc7230#section-2.3 So, Why are you requesting this? what real problem are you trying to solve that makes you think about spoofing the client IP? Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJT//kKAAoJELJo5wb/XPRjYwQIALlPG52K65lcke/cjBTbcGFI BCP+dP9GT5SaI2zW+QrV9i/wmw5g9YdHGvssbMblIn2HTuYdTXdjXgUCXTc1LjsI c7KU55apgyViVqgb6XWSPixTPOeaAXJu2RoqxoOD9IWxjbr93Ut5zw1O9dTqxYNX fJbGcKDHeJ8z0QMk3IKp89+GozUc2G0K1eVk+hREQWjt2J2KZmZIY3DonMfUAmqM i3BaBtJ2PFfATbkNQ1kJ1MwGFonrafmIakfDU1wp0MvUvjV9msKwA7e+S9xAqgD+ ivW7hKGJBQi0I7VJbWhhHcENrWa6nCQHGq1HJZ6vfObHCFGQ7knW4/QB+uTn/JI= =Teo/ -END PGP SIGNATURE-
