Posted by: h4ck@lyst | December 17, 2007

transparent proxy

RFC 2616 (Hypertext Transfer Protocol — HTTP/1.1) offers:

“A ‘transparent proxy’ is a proxy that does not modify the request or response beyond what is required for proxy authentication and identification.”

Well we had the following scenario. We have a squid proxy set up on 10.0.0.11 which can be accessed only by the user delta with the given password through 10.0.0.126. Now what I wanted to do was to set up a transparent proxy so that the end user connects to 10.0.0.126/wiki and he is redirected to en.wikipedia.org without him accessing any proxy. So a transparent proxy was set on delta. the httpd.conf uses proxy pass to forward any request for /wiki to wikipedia.org. Now since the redirection is done on server side, it becomes a localhost request and the transparent proxy accepts its and forwards it to the parent proxy.

F ollowing are some of the configurations done by satya to enable all this.

cache_peer 10.0.0.11 parent 3128 3130 login=username:password

this defines the parent proxy to which rrequest has to be send.

cache_peer_domain 10.0.0.11 .wikipedia.org .wikimedia.org

This states that for the domains wikipedia and wikimedia only refer to your peer cache at domain 10.0.0.11 and for all the rest do not go to the parent/peer domain/cache.

acl QUERY urlpath_regex cgi-bin
cache deny QUERY
well it says that querries having cgi-bin will not be cached. had to remove ? from this line else the intercepting proxy will not forward it to the parent proxy requests like

@import “/skins-1.5/common/shared.css?102”

acl list dstdomain .wikipedia.org .wikimedia.org

With ‘never_direct’ you can use ACL elements to specify
#       requests which should NEVER be forwarded directly to origin
#       servers.  For example, to force the use of a proxy for all
#       requests, except those in your local domain use something like:
#
#               acl local-servers dstdomain .foo.net
#               acl all src 0.0.0.0/0.0.0.0
#               never_direct deny local-servers
#               never_direct allow all

so basically dstdomain requests only will be sent to the parent proxy

http_reply_access allow list
http_reply_access deny all

so only acl list will be allowed to pass down to the clients.

tcp_outgoing_address 10.0.0.126

This masquerades all incoming requests to the parent proxy as  10.0.0.126 since the parent proxy is configured to process only client requests from 10.0.0.126 and from no other client ip.

And last but not the least the comment that helps me to keep track of all these changes to the squid.conf

# for wiki – satya
🙂
And the httpd.conf reverse proxy part

ProxyRemote * http://10.0.0.126:3128 #Dont ask me abt this. This I picked from suren’s comments for  spoj
ProxyPass /skins-1.5/ http://en.wikipedia.org/skins-1.5/
ProxyPassReverse /skins-1.5/ http://en.wikipedia.org/skins-1.5/
ProxyPass /wiki/ http://en.wikipedia.org/wiki/
ProxyPassReverse /wiki/ http://en.wikipedia.org/wiki/

The first two lines to allow the css download.

Will be configuring it the similar way for epaper soon!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: