[ previous ] [ next ] [ threads ]
 
 From:  "Frans King" <frans dot king at f333 dot net>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Transparent HTTP proxy
 Date:  Sat, 12 Feb 2005 21:58:53 -0000
> -----Original Message-----
> From: Frans King [mailto:frans dot king at f333 dot net]
> Sent: 12 February 2005 19:39
> To: m0n0wall at lists dot m0n0 dot ch
> Cc: m0n0wall dash dev at lists dot m0n0 dot ch
> Subject: [m0n0wall] Transparent HTTP proxy
> 
> I read in the m0n0wall documentation that transparent proxying is not
> supported because of the issue of figuring out what the actual HTTP
> request
> is. I have pretty much the same situation as described here
> http://m0n0.ch/wall/list/?action=show_msg&actionargs%5B%5D=106&actionargs%
> 5B
> %5D=46:
> 
> WAN
> |
> |
> M0n0-----DMZ (proxy server = 10.0.1.2)
> |
> |
> |
> LAN (clients - 10.0.0.0/28)
> 
> The idea is to have HTTP traffic forced through the proxy server which is
> in
> fact possible with m0n0wall and squid under linux.
> 
> I followed the squid docs on transparent proxies
> (http://www.squid-cache.org/Doc/FAQ/FAQ-17.html) adding these lines:
> 
> http_port 8080
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy  on
> httpd_accel_uses_host_header on
> 
> to my squid.conf so that squid recognizes hijacked connections.
> 
> Then I added a redirect rule in m0n0wall via exec.php:
> 
> cat "rdr rl0 0/0 port http -> 10.0.1.2 port 3128" > rules
> ipnat -f rules
> 
> And low and behold any traffic on port 80 going into my LAN interface is
> redirected to the squid proxy.
> 
> Obviously this will not work for situations where the proxy server resides
> on the LAN interface but with some tweaking of the redirect rule it should
> be possible.
> 
> Also I don't know about other proxy servers and whether they can intercept
> hijacked connections.
> 
> Regards,
> 
> Frans
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

I may also investigate tproxy (a userland redirector) but I'm not sure if
it's required.