Re: [squid-users] trying to make the "Transparent Proxy" invisible

From: Henrik Nordstrom <[email protected]>
Date: 11 Apr 2003 15:49:59 +0200

tor 2003-04-10 klockan 19.38 skrev Joe Solinsky:

> There was some discussion about this back in 1996 or
> 1998, and the answer was that it wasn't possible to
> "lie" to the web server about the originating IP
> address; I was just wondering if this has changed in
> years since, or coincidentally if there's a trick in
> Apache people might know of to use a different source
> for the client IP address.

The general answer is still "no".

But in theory the same ugliness as used for intercepting port 80
requests can be used for spoofing outgoing requests with the client IP
address. See the squid-dev archives for some discussion. But be warned
that this is not ready for production use, and requires heavy patching
of both Linux-2.4 and Squid to make it possible for Squid to break these
fundamental rules of TCP/IP networking.

Also, very careful planning must be employed on your networking when
doing such thing to guarantee that whatever destination Squid has
contacted using the client IP address as source sends the reply back to
the Squid server, even when the IP address of the packets indicate they
should be sent to the client... this is basically only possible when
Squid is running on a router between the client an any resources
requested.

-- 
Henrik Nordstrom <hno@squid-cache.org>
MARA Systems AB, Sweden
Received on Fri Apr 11 2003 - 07:50:09 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:56 MST