Re: [squid-users] transparent proxy error

From: CsY <csy@dont-contact.us>
Date: Tue, 01 Nov 2005 22:00:55 +0100

do you think this?
# Generated by iptables-save v1.3.1 on Fri Oct 21 15:21:54 2005
*mangle
:PREROUTING ACCEPT [2497:834932]
:INPUT ACCEPT [2477:831704]
:FORWARD ACCEPT [19:3172]
:OUTPUT ACCEPT [2598:846827]
:POSTROUTING ACCEPT [2617:849999]
COMMIT
# Completed on Fri Oct 21 15:21:54 2005
# Generated by iptables-save v1.3.1 on Fri Oct 21 15:21:54 2005
*nat
:PREROUTING ACCEPT [6:789]
:POSTROUTING ACCEPT [74:4434]
:OUTPUT ACCEPT [69:3693]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8081 COMMIT
# Completed on Fri Oct 21 15:21:54 2005
# Generated by iptables-save v1.3.1 on Fri Oct 21 15:21:54 2005
*filter
:INPUT ACCEPT [2477:831704]
:FORWARD ACCEPT [19:3172]
:OUTPUT ACCEPT [2598:846827]
COMMIT
# Completed on Fri Oct 21 15:21:54 2005

Henrik Nordstrom írta:
> On Tue, 1 Nov 2005, Senthil Murugan wrote:
>
>> the original website that he/she was trying to access. But this time
>> the browser will not send the cookie credentials bcos, the is a
>> different domain. You explained as, "since the proxy has the full
>> control of the traffic passing thru it, it can play games on the
>> browser and issue cookie for all the visited domains". But with this,
>> only the proxy can add the credentials but what actually needed is,
>> only the proxy needs the credentials from the browser. How come the
>> works or i am not understood clearly?
>
> There is always the domain of the proxy, to which the browser sends
> it's cookies. To transport the session cookie to another domain a
> double redirect is used via the proxy domain, temporarily carrying the
> session details in an "magic" URL to the visited domain which then
> issues the cookie and redirects back to the originally requested page
> on the same domain.
>
> I have done this kind of solutions for reverse proxies using Squid,
> and it is not hard (you only need a HTTP server maintaining the
> session, and a little thinking on how to use external acls). Only
> difficulty wrt doing it in a forward proxy is that you need to modify
> the proxy to not forward the session cookie to the requested site and
> for this some new Squid modifications will be needed (i.e. the
> filtering of the cookie is not possible with what is available for
> Squid today)
>
> Regards
> Henrik
>
> _____________ NOD32 1.1269 (20051031) Információ _____________
>
> Az üzenetet a NOD32 antivirus system megvizsgálta.
> http://www.nod32.hu
>
>
>
Received on Tue Nov 01 2005 - 14:01:02 MST

This archive was generated by hypermail pre-2.1.9 : Thu Dec 01 2005 - 12:00:09 MST