-
Notifications
You must be signed in to change notification settings - Fork 645
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No documentation on how to use as transparent proxy #45
Comments
Good point! Who would like to contribute documentation about transparent? |
The iptables REDIRECT rule(s) are buried in I couldn't get transparent proxying to work without editing src/transparent-proxy.c Even then it doesn't work for SSL/TLS. |
Hello, does tinyproxy has transparent proxy mode? |
Apparently. I could only get it to work by the substituting the getsockopt() call in my comment above.
with
Some years ago I hacked apart transproxy (http://transproxy.sourceforge.net/) for a particular |
I have put the Linux patch for transparent proxying and some information on |
@pellucida would you mind to describe what the issue with transparent proxying is, that your patch is trying to address ? |
Please read http://toves.freeshell.org/tinyproxy/ Its three years ago and the source has probably been updated and/or the linux kernel support If you are interested I can probably pull the syslog entries and elaborate. The OP's missing documentation I believe was the netfilter stuff. |
thanks.
vs
this looks like tinyproxy failed to extract the Host: header from the original request and insert it as the destination host, right ? |
I added a comment on github.
I had a quick look at the latest version v1.11
The penny dropped that it really only supports HTTP/1.1
ie requires the 'Host: ' header.
My requirement at the time was for a HTTP/1.0 client.
Hence the getsockopt() syscall to pickup the original
destination IP.
I would note that a 1.1 client connecting to the wrong IP address
would still get the right page as tinyproxy uses the Host: header.
The technique of determining the address family from socket size
doesn't work on my rhel7 box. Why not just use dest_addr.v4.sin_family?
The family field is common to all families.
I haven't used tinyproxy for years. Once the cluster hosts had to access
an external license server I was allowed to enable forwarding and
nat the connections.
…On Tue, 15 Sep. 2020, 20:05 rofl0r, ***@***.***> wrote:
@pellucida <https://github.com/pellucida> would you mind to describe what
the issue with transparent proxying is, that your patch is trying to
address ?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#45 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADJNOR63O35LLCWBIW2QTYLSF43X5ANCNFSM4CYISKMQ>
.
|
you mean elsewhere ? i can't see anything, please point me there
i'd think so, but it is kinda hard to test the transparent functionality without a test network setup
in which file/line ? |
Sorry I didn't realize email fed into this.
I tested it on real hardware but a VM setup would be just as good.
src/transparent-proxy.c .. 55 int 56 do_transparent_proxy (struct conn_s *connptr, orderedmap hashofheaders, 57 struct request_s *request, struct config_s *conf, 58 char **url) .. 86 af = length == sizeof(dest_addr.v4) ? AF_INET : AF_INET6; 87 if (af == AF_INET) dest_inaddr = &dest_addr.v4.sin_addr; 88 else dest_inaddr = &dest_addr.v6.sin6_addr; At line 86 debugging gives (on RHEL7.8) DEBUG: transparent-proxy.c(85) sizeof(dest_addr.v4) = 16, length = 28 This works but there are better ways. af = dest_addr.v4.sin_family; |
corporate and ISP networks are known to hijack name resolution so a log.notice() for 'dst_iP' != "what HOST_HEADER actually resolves to" would be helpful IMO. |
@pellucida now does it actually work or not? according to posix manual, it should:
assuming the proxy runs in the corporate/ISP network, we'd get the same value for both, wouldn't we? |
no the proxy would be located where TRUTH would be available. If name lookups on Tinyproxy were also lies, then the product wouldn't work. As to hacking based on sizeof a structure when sin_family has pretty much ALWAYS been correct, just get rid of the hack, yes? Even microsoft stack fills in sin_family correctly so I don't know what prompted going about it all back-asswards. |
The effect is the test for ipv4 fails ie af is set to AF_INET6. Personally I would use sockaddr_storage (rather the sockaddr_union) and The glibc bindings have an elaborate transparent union arrangement which |
it's been reported[0] that RHEL7 fails to properly set the length parameter of the getsockname() call to the length of the required struct sockaddr type, and always returns the length passed if it is big enough. the SOCKADDR_UNION_* macros originate from my microsocks[1] project, and facilitate handling of the sockaddr mess without nasty casts. [0]: #45 (comment) [1]: https://github.com/rofl0r/microsocks
I tend to avoid macros as far as possible in favour of inline functions static inline sa_family_t getfamily (__CONST_SOCKADDR_ARG sa) { return sa->sa_family; } |
tinyproxy is compiled with hardcore pedantic compiler options, including -std=c89. means there's no inline. apart from that, we can discuss C style on freenode if you so wish, but i don't think it belongs here. |
It's listed as a feature but not actually explained. Maybe some examples?
Should it be assumed the user intuitively knows to install Tiny on the network's gateway? Or resort to tricks like IPtables to intercept and Dest-NAT?
Can it be used for HTTPS? In which case, any special configuration?
How to play nice with AWS Elastic-loadbalancers' HTTP health checks? (aside: doesn't appear to work)
The text was updated successfully, but these errors were encountered: