On Sun, Oct 08, 2006 at 02:27:13AM +1000, Niels Ganser wrote: > Hey, > > I wrestled quite a bit with shorewall (version 3.0.4) lately to get > something to work which I expected to be fairly trivial. Most likely > it really is but I just can't figure it out.. > > Consider the following scenario: > All HTTP(S) Traffic from a local machine should be routed through a > SSH tunnel to a remote (squid) proxy. The SSH Tunnel locally listens > on port 3128. That's also the port on which everything ends up on the > remote machine (shouldn't matter though?!). The setup works as long as > I configure client programs manually to use this proxy > (localhost:3128) but I'd love to have a transparent proxy (i.e. the > clients don't know anything about it). > > I thought it was just a matter of redirecting any outgoing request to > port 80 resp. 443 to 127.0.0.1:3128 but either that's not the way to > go or I am not able to set those redirects up properly :) > > I managed to redirect the request to the remote proxy (via SSH > tunnel), however the original hostname seems to get lost along the way > since I only receive errors from the proxy. The squid logs show > something like > 1160238209.322 342 127.0.0.1 TCP_DENIED/400 1574 GET > /rss/newsonline_world_edition/front_page/rss.xml - NONE/- text/html > as opposed to the expected > 1160237922.254 362 127.0.0.1 TCP_REFRESH_MISS/200 16428 GET > http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml > - DIRECT/212.58.226.8 application/xml >
I'm not sure what you are trying to accomplish. However, I did want to give you some food for thought. Any https traffic cannot be transparently proxied. Think about it for a moment. Everything in the https request, except for the IPs and port numbers is encrypted. You want the user to setup proxies explicitly. If not, what is to stop anyone along the way from proxying your SSL traffic. If that is the case, then what good it SSL? Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
