Re: Web-page based proxy service
On Mon, Jan 17, 2005 at 08:49:24PM +0300, Peter Clark wrote: On Monday 17 January 2005 12:08, Wouter Verhelst wrote: Are the things you want to send through the proxy delimited by the network they appear on? e.g., you want traffic for the 'Net to go through the proxy, but want to keep traffic for your local LAN as direct traffic? If so, then transparent proxying should work perfectly for you. No, actually what I want to do is provide a bit of security in a hostile network environment. Oh. Let's say we have a user who wants to check his web-based email (Yahoo, Hotmail, etc.) that doesn't offer SSL, and there's a high possibility that the network is being monitored by Unfriendlies. What network? The one at the user's end, or one somewhere in between? If an attacker can't read the traffic between the user and your SSL proxy, surely he can read the traffic between your SSL proxy and the remote system? This has the potential of lulling the user in a false sense of security, which is worse than the original (because users who think their traffic is secure will be less careful than users who know it isn't the case) The second problem is that said user could potential desire to visit any website where he would be handing over passwords, credit card numbers, etc., so building a whitelist of servers, as some have suggested. That could be a good idea, actually. My attempt at a solution is to provide a secure https server that acts as a proxy; all traffic from, say, Hotmail, would be encrypted by the server before being passed on to the user, but at the user's discretion, rather than my direct intervention. However, since my bandwidth is not unlimited, and since there's no point in encrypting _everything_, I don't want everything to go through the server. Several people have mentioned CGIProxy, which almost fits the bill, except that sites that require JavaScript can be problematic. If you're going to try to apply semi-AI to web pages to determine whether something needs to come from the proxy or from the original server, you're /always/ going to have problems. -- EARTH smog | bricks AIR -- mud -- FIRE soda water | tequila WATER -- with thanks to fortune
Re: Web-page based proxy service
Op zo, 16-01-2005 te 06:21 +0300, schreef Peter Clark: On Saturday 15 January 2005 16:39, Fraser Campbell wrote: If you put squid as people's default gateway then you can transparently redirect all web requests through squid, if they hadn't authenticated then you could have an authentication box pop up or redirect them to an authentication webpage if you prefer. But this would require changing the user's browser settings, right? No. Transparent proxying works 'transparent' to the user; he doesn't know that there is a proxy. The thing is, I don't want _everything_ to go through the proxy, Are the things you want to send through the proxy delimited by the network they appear on? e.g., you want traffic for the 'Net to go through the proxy, but want to keep traffic for your local LAN as direct traffic? If so, then transparent proxying should work perfectly for you. which is what would usually happen if it was set via the browser. Unless I misunderstood and am mistaken about Squid's capabilities... You did (but note that you'll need to do some iptables magic to make this possible) -- EARTH smog | bricks AIR -- mud -- FIRE soda water | tequila WATER -- with thanks to fortune
Re: Web-page based proxy service
On Monday 17 January 2005 12:08, Wouter Verhelst wrote: Are the things you want to send through the proxy delimited by the network they appear on? e.g., you want traffic for the 'Net to go through the proxy, but want to keep traffic for your local LAN as direct traffic? If so, then transparent proxying should work perfectly for you. No, actually what I want to do is provide a bit of security in a hostile network environment. Let's say we have a user who wants to check his web-based email (Yahoo, Hotmail, etc.) that doesn't offer SSL, and there's a high possibility that the network is being monitored by Unfriendlies. The second problem is that said user could potential desire to visit any website where he would be handing over passwords, credit card numbers, etc., so building a whitelist of servers, as some have suggested. My attempt at a solution is to provide a secure https server that acts as a proxy; all traffic from, say, Hotmail, would be encrypted by the server before being passed on to the user, but at the user's discretion, rather than my direct intervention. However, since my bandwidth is not unlimited, and since there's no point in encrypting _everything_, I don't want everything to go through the server. Several people have mentioned CGIProxy, which almost fits the bill, except that sites that require JavaScript can be problematic. Plus, it's horribly slow. However, in the absence of any other alternative, it's all that I've got. :Peter
Re: Web-page based proxy service
Hello Peter, Sunday, January 16, 2005, 4:21:10, you wrote: PC But this would require changing the user's browser settings, right? The PC thing is, I don't want _everything_ to go through the proxy, which is what PC would usually happen if it was set via the browser. Do I understand right that you want only some pages to go through proxy? Then use proxy autoconfiguration file in browser's settings. It's some javascript which decides for every URL what proxy server (if any) to use... The file is downloaded from server I guess everytime browser is launched. Google should know a lot about it. -- bYE, Marki
Re: Web-page based proxy service
On Friday 14 January 2005 03:56, Peter Clark wrote: I would like to provide a proxy service that can be used only by accessing a web page. In other words, I don't want users to enter proxy details in their browser settings, but rather, if they want to go through a proxy, they can visit a webpage, enter a URL in a form, and the page (and all subsequent pages) will be funneled through the proxy to the user. I believe that anonymizer.com does something similar. But hopefully you get the idea. What about using a transparent squid proxy? Squid supports a tonne of authentication methods. If you put squid as people's default gateway then you can transparently redirect all web requests through squid, if they hadn't authenticated then you could have an authentication box pop up or redirect them to an authentication webpage if you prefer. Not sure of your topology so this may not be a suitable solution (I know it's not quite what you asked for). -- Fraser Campbell [EMAIL PROTECTED] http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: Web-page based proxy service
On Saturday 15 January 2005 16:39, Fraser Campbell wrote: If you put squid as people's default gateway then you can transparently redirect all web requests through squid, if they hadn't authenticated then you could have an authentication box pop up or redirect them to an authentication webpage if you prefer. But this would require changing the user's browser settings, right? The thing is, I don't want _everything_ to go through the proxy, which is what would usually happen if it was set via the browser. Unless I misunderstood and am mistaken about Squid's capabilities... :Peter
Re: Web-page based proxy service [signed]
Peter Clark wrote: On Friday 14 January 2005 19:59, MB [c] wrote: You should be able to do this with a JSP. You should also be able to get SSL pages as well. I don't have an example handy, but this is not a trivial task. If there has not been answer from someone else, I'll try to get you an example soon. Do you have the ability to run JSP's? I have the capability, but would prefer to use something less complex and heavyweight. No one else has mentioned an alternate solution, however. I was investigating Apache's mod_proxy, but there doesn't seem to be anything that does what I'm thinking. :Peter Well, let me knwo if you come up with something else. I would be interetsed in this solution as well. I know that there are services that do this for people in, say China, so it is definately do-able. however, I did find this: http://www.jmarshall.com/tools/cgiproxy/ -M -- -[ Ciphire Signature ]-- From: [EMAIL PROTECTED] signed email body (742 characters) Date: on 16 January 2005 at 04:49:27 GMT To: debian-isp@lists.debian.org : Ciphire has secured this email against identity theft. : Free download at www.ciphire.com. The garbled lines : below are the sender's verifiable digital signature. 00fAEAAABX8ulB5gIAANgDAAIAAgACACBsINy7Olj+bcYGxMCGl7XDas3zqV eEJMhFXrTaT/SmPgEAXAh4M4ibDEN1DXxpEPylL1yzRiltlYsm6D5k/BoAPhKOr3 kjFItgGGwDZ1vfrv28u+SJX7oXQTyuuNYMXrD4ig== --[ End Ciphire Signed Message ]
Web-page based proxy service
I would like to provide a proxy service that can be used only by accessing a web page. In other words, I don't want users to enter proxy details in their browser settings, but rather, if they want to go through a proxy, they can visit a webpage, enter a URL in a form, and the page (and all subsequent pages) will be funneled through the proxy to the user. I believe that anonymizer.com does something similar. But hopefully you get the idea. :Peter
Re: Web-page based proxy service [signed]
Peter Clark wrote: I would like to provide a proxy service that can be used only by accessing a web page. In other words, I don't want users to enter proxy details in their browser settings, but rather, if they want to go through a proxy, they can visit a webpage, enter a URL in a form, and the page (and all subsequent pages) will be funneled through the proxy to the user. I believe that anonymizer.com does something similar. But hopefully you get the idea. :Peter You should be able to do this with a JSP. You should also be able to get SSL pages as well. I don't have an example handy, but this is not a trivial task. If there has not been answer from someone else, I'll try to get you an example soon. Do you have the ability to run JSP's? -Mark -- -[ Ciphire Signature ]-- From: [EMAIL PROTECTED] signed email body (617 characters) Date: on 14 January 2005 at 17:00:10 GMT To: debian-isp@lists.debian.org : Ciphire has secured this email against identity theft. : Free download at www.ciphire.com. The garbled lines : below are the sender's verifiable digital signature. 00fAEAAACa+udBaQIAAKQDAAIAAgACACBsINy7Olj+bcYGxMCGl7XDas3zqV eEJMhFXrTaT/SmPgEAXAh4M4ibDEN1DXxpEPylL1yzRiltlYsm6D5k/BoAPhIoE6 XYQx7zQ4nogoM7qKzSzo4EdYkuMrybx0qHCccOmQ== --[ End Ciphire Signed Message ]
Re: Web-page based proxy service [signed]
On Friday 14 January 2005 19:59, MB [c] wrote: You should be able to do this with a JSP. You should also be able to get SSL pages as well. I don't have an example handy, but this is not a trivial task. If there has not been answer from someone else, I'll try to get you an example soon. Do you have the ability to run JSP's? I have the capability, but would prefer to use something less complex and heavyweight. No one else has mentioned an alternate solution, however. I was investigating Apache's mod_proxy, but there doesn't seem to be anything that does what I'm thinking. :Peter
Re: Web-page based proxy service
Peter Clark wrote: I would like to provide a proxy service that can be used only by accessing a web page. In other words, I don't want users to enter proxy details in their browser settings, but rather, if they want to go through a proxy, they can visit a webpage, enter a URL in a form, and the page (and all subsequent pages) will be funneled through the proxy to the user. I believe that anonymizer.com does something similar. But hopefully you get the idea. :Peter I played around with CGIProxy for a while, although I don't really use it anymore. Might suit your needs. http://www.jmarshall.com/tools/cgiproxy/ I found it didn't work very well for JavaScript heavy stuff like Hotmail (which is to be expected) but for most sites it worked adequately. I had to apt-get install libnet-perl libnet-ssleay-perl and make a minor change to the script at line 3935: # $how_much -= Net::SSLeay::blength($got); $how_much -= length($got); Coz Net::SSLeay::blength wasn't working for me. Cheers, Blair. signature.asc Description: OpenPGP digital signature