Re: Relayd as Transparent HTTP Proxy problem

[Philip Guenther]

On Wed, Feb 6, 2013 at 4:03 PM, Keith  wrote:
> I have been trying to get relayd to work as a Transparent http proxy on a
> old OBSD 4.7 server today but I am having some trouble getting it to do what
> I want. The transparent proxy works perfectly but I want to block access to
> all websites unless their on a whitelist in the relayd.conf file.  We have
> squid proxy that all our web traffic should go through but we also have some
> apps that just refuse to use a proxy that we think we could let through the
> transparent proxy.
...
> Can someone help ?

There have been *massive* changes in relayd in recent releases...and
you're using a release from almost 3 years ago.

So: set up a new server running 5.2 next to your current one, then
transition everything to it, then give it another shot.


Philip Guenther

Relayd as Transparent HTTP Proxy problem

[Keith]

I have been trying to get relayd to work as a Transparent http proxy on 
a old OBSD 4.7 server today but I am having some trouble getting it to 
do what I want. The transparent proxy works perfectly but I want to 
block access to all websites unless their on a whitelist in the 
relayd.conf file.  We have squid proxy that all our web traffic should 
go through but we also have some apps that just refuse to use a proxy 
that we think we could let through the transparent proxy.


http protocol "httpfilter" {
tcp { nodelay, sack, socket buffer 65536, backlog 1000 }
return error
header change "Keep-Alive" to "$TIMEOUT"
header change "Connection" to "close"

request header log "Host"
label "Unauthorised Host please contact support@"
request header expect "undeadly.org" from "Host"
request header expect "*undeadly.org*" from "Host"

#   label "BAD user agent"
#   request header filter "Mozilla/4.0*" from "User-Agent"
#   request header filter "SomeBrokeBrowser/1.0*" from "User-Agent"

#   label "BAD Host request"
#request header filter "*youtube.com*" from "Host"
#request header filter "*myspace.com*" from "Host"
#request header filter "*facebook.com*" from "Host"
#request header filter "*bfriends.com*" from "Host"

request header change "Accept" to 
"text/html,text/plain;q=0.9,*/*;q=0.8"

request header change "Accept-Charset" to "ISO-8859-1,utf-8;q=0.9"
request header change "Accept-Encoding" to "gzip"
request header change "Accept-Language" to "en-us,en;q=0.9"
request header change "User-Agent" to "InVis"
}

relay httpproxy {
listen on 127.0.0.1 port 8080
protocol "httpfilter"
forward to nat lookup
}


When the above config is loaded and I visit the undeadly website I just 
get the following error.


Forbidden
incomplete request
OpenBSD relayd at 127.0.0.1 port 8080

Can someone help ?

Thanks
Keith