Re: transparent proxies

From: John Saunders <john@dont-contact.us>
Date: 28 Jul 1997 22:34:57 GMT

Why the need for the patch, don't you like the squid config file :-)

# TAG: httpd_accel_uses_host_header
# HTTP/1.1 requests include a Host: header which is basically the
# hostname from the URL. Squid can be an accelerator for
# different HTTP servers by looking at this header. However,
# Squid does NOT check the value of the Host header, so it opens
# a big security hole. We recommend that this option remain
# disabled unless you are sure of what you are doing.
#
httpd_accel_uses_host_header on

Ignore the warning about security and enable this option for using the
Host: header.

Cheers.

Miquel van Smoorenburg <miquels@cistron.nl> wrote:
> In article <m0wsnyK-0008Z4C@relay.noho.co.uk>,
> Richard Ayres <RichardA@noho.co.uk> wrote:
> >From: Martin Hamilton <martin@mrrl.lut.ac.uk>
> >>
> >>Just wondering how many people were running Squid in a transparent
> >>proxy setup, and what your experiences of this were. For info :-
> >
> >I'm using such a setup. The only issues so far have been that:
> >
> >(a) it's fairly useless to use my service providers parent caches
> >(cache-?.www.demon.net) because by proxying squid only sees IP addresses,
> >not host names and demon aren't generally asked for IP addresses by other
> >users;

> I think this can be solved pretty easily. You just redirect all port 80
> traffic not to squid, but to another port (say 4040) with a redirector
> process behind it. That redirector process first reads the whole request header.
> If there's a Host: header in it (which all modern browsers provide), use
> that to reconstruct a complete URL, otherwise use the IP number. Then connect
> to squid and ask for the URL.

> Writing such a redirector could be done in a spare afternoon or evening..
> if I'm feeling bored tonight I might just give it a shot (I have 90% of
> it already done for a similar project).

> It should be equally easy to hack this into squid itself (use the Host:
> header instead of the result of getsockname() if present). [checking]
> ah yes, around line 1644 in icp.c. Hmm the code is already there, it's
> just not used in "virtual" mode! Forget about the redirector process..

> [clickety click]

> Here's a completely untested patch (but it does compile)

> [squid-1.1.11-transproxy.patch]
> --- icp.c.orig Mon Jul 28 18:17:23 1997
> +++ icp.c Mon Jul 28 18:23:03 1997
> @@ -1639,13 +1639,29 @@
> if (httpd_accel_mode && *url == '/') {
> /* prepend the accel prefix */
> if (vhost_mode) {
> - /* Put the local socket IP address as the hostname */
> - url_sz = strlen(url) + 32 + Config.appendDomainLen;
> - icpState->url = xcalloc(url_sz, 1);
> - sprintf(icpState->url, "http://%s:%d%s",
> - inet_ntoa(icpState->me.sin_addr),
> - (int) Config.Accel.port,
> - url);
> + /*
> + * Put the local socket IP address as the hostname
> + *
> + * If a Host: header was specified, use it to build the URL
> + * instead of the result of getsockname().
> + */
> + if ((t = mime_get_header(req_hdr, "Host")) != NULL) {
> + strtok(t, " :/;@");
> + url_sz = strlen(url) + strlen(t) + 32 + Config.appendDomainLen;
> + icpState->url = xcalloc(url_sz, 1);
> + if (Config.Accel.port != 80)
> + sprintf(icpState->url, "http://%s:%d%s",
> + t, (int) Config.Accel.port, url);
> + else
> + sprintf(icpState->url, "http://%s%s", t, url);
> + } else {
> + url_sz = strlen(url) + 32 + Config.appendDomainLen;
> + icpState->url = xcalloc(url_sz, 1);
> + sprintf(icpState->url, "http://%s:%d%s",
> + inet_ntoa(icpState->me.sin_addr),
> + (int) Config.Accel.port,
> + url);
> + }
> debug(12, 5, "VHOST REWRITE: '%s'\n", icpState->url);
> } else if (opt_accel_uses_host && (t = mime_get_header(req_hdr, "Host"))) {
> /* If a Host: header was specified, use it to build the URL

> Mike.
> --
> | Miquel van Smoorenburg | |
> | miquels@cistron.nl | Owners of digital watches, your days are numbered. |
> | PGP fingerprint: FE 66 52 4F CD 59 A5 36 7F 39 8B 20 F1 D6 74 02 |

-- 
--            +------------------------------------------------------------+
        .     | John Saunders  - mailto:john@nlc.net.au            (EMail) |
    ,--_|\    |                - http://www.nlc.net.au/              (WWW) |
   /  Oz  \   |                - 041-822-3814 or 02-9477-2881      (Phone) |
   \_,--\_/   | NHJ NORTHLINK COMMUNICATIONS - Supplying a professional,   |
         v    | and above all friendly, internet connection service.       |
              +------------------------------------------------------------+
Received on Mon Jul 28 1997 - 15:41:52 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:51 MST