[squid-users] tproxy2 patch for squid3

2006-07-29 Thread Jan Engelhardt 
.connects++;
 
+if(Config.onoff.tproxy && src != NULL && src->sin_addr.s_addr != 0 &&
+ ((ntohl(src->sin_addr.s_addr) >> 24) & 0xFF) != 0x7F)
+do_tproxy(sock, src, address);
+
 x = connect(sock, (struct sockaddr *) address, sizeof(*address));
 
 if (x < 0)
diff --fast -Ndpru squid-3.0.PRE4-20060727~/src/forward.cc 
squid-3.0.PRE4-20060727/src/forward.cc
--- squid-3.0.PRE4-20060727~/src/forward.cc 2006-06-20 00:49:59.0 
+0200
+++ squid-3.0.PRE4-20060727/src/forward.cc  2006-07-28 15:56:59.629577000 
+0200
@@ -811,7 +811,7 @@ FwdState::connectStart()
 else
 hierarchyNote(&request->hier, fs->code, request->host);
 
-commConnectStart(fd, host, port, fwdConnectDoneWrapper, this);
+commConnectStart2(fd, host, port, fwdConnectDoneWrapper, this);
 }
 
 void
diff --fast -Ndpru squid-3.0.PRE4-20060727~/src/ip_tproxy.h 
squid-3.0.PRE4-20060727/src/ip_tproxy.h
--- squid-3.0.PRE4-20060727~/src/ip_tproxy.h1970-01-01 01:00:00.0 
+0100
+++ squid-3.0.PRE4-20060727/src/ip_tproxy.h 2006-07-28 15:56:59.639577000 
+0200
@@ -0,0 +1,78 @@
+/*
+ * Transparent proxy support for Linux/iptables
+ *
+ * Copyright (c) 2002-2004 BalaBit IT Ltd.
+ * Author: Balzs Scheidler
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+
+#ifndef _IP_TPROXY_H
+#define _IP_TPROXY_H
+
+#ifdef __KERNEL__
+#include 
+#include 
+#else
+#include 
+#ifndef IP_RECVORIGADDRS
+#define IP_RECVORIGADDRS   11273
+#define IP_ORIGADDRS   IP_RECVORIGADDRS
+struct in_origaddrs {
+struct in_addr ioa_srcaddr;
+struct in_addr ioa_dstaddr;
+unsigned short int ioa_srcport;
+unsigned short int ioa_dstport;
+};
+#endif
+#endif
+
+/*
+ * used in setsockopt(SOL_IP, IP_TPROXY) should not collide
+ * with values in 
+ */
+
+#define IP_TPROXY  11274
+
+/* tproxy operations */
+enum {
+   TPROXY_VERSION = 0,
+   TPROXY_ASSIGN,
+   TPROXY_UNASSIGN,
+   TPROXY_QUERY,
+   TPROXY_FLAGS,
+   TPROXY_ALLOC,
+   TPROXY_CONNECT
+};
+
+/* bitfields in IP_TPROXY_FLAGS */
+#define ITP_CONNECT 0x0001
+#define ITP_LISTEN  0x0002
+#define ITP_ESTABLISHED 0x0004
+
+#define ITP_ONCE0x0001
+#define ITP_MARK0x0002
+#define ITP_APPLIED 0x0004
+#define ITP_UNIDIR  0x0008
+
+struct in_tproxy_addr{
+   struct in_addr  faddr;
+   u_int16_t   fport;
+};
+
+struct in_tproxy {
+   /* fixed part, should not change between versions */
+   u_int32_t op;
+   /* extensible part */
+   union _in_args {
+   u_int32_t   version;
+   struct in_tproxy_addr   addr;
+   u_int32_t   flags;
+   } v;
+};
+
+#endif
+
diff --fast -Ndpru squid-3.0.PRE4-20060727~/src/protos.h 
squid-3.0.PRE4-20060727/src/protos.h
--- squid-3.0.PRE4-20060727~/src/protos.h   2006-07-02 18:53:46.0 
+0200
+++ squid-3.0.PRE4-20060727/src/protos.h2006-07-28 15:57:02.299577000 
+0200
@@ -132,8 +132,10 @@ SQUIDCEXTERN void comm_reset_close(int f
 SQUIDCEXTERN void comm_lingering_close(int fd);
 #endif
 SQUIDCEXTERN void commConnectStart(int fd, const char *, u_short, CNCB *, void 
*);
+class FwdState;
+SQUIDCEXTERN void commConnectStart2(int, const char *, u_short, CNCB *, 
FwdState *);
 
-SQUIDCEXTERN int comm_connect_addr(int sock, const struct sockaddr_in *);
+SQUIDCEXTERN int comm_connect_addr(int sock, const struct sockaddr_in *, const 
struct sockaddr_in * = NULL);
 SQUIDCEXTERN void comm_init(void);
 
 SQUIDCEXTERN int comm_open(int, int, struct IN_ADDR, u_short port, int, const 
char *note);
@@ -256,7 +258,6 @@ SQUIDCEXTERN void fqdncache_restart(void
 SQUIDCEXTERN EVH fqdncache_purgelru;
 SQUIDCEXTERN void fqdncacheAddEntryFromHosts(char *addr, wordlist * hostnames);
 
-class FwdState;
 SQUIDCEXTERN void ftpStart(FwdState *);
 SQUIDCEXTERN char *ftpUrlWith2f(const HttpRequest *);
 
diff --fast -Ndpru squid-3.0.PRE4-20060727~/src/structs.h 
squid-3.0.PRE4-20060727/src/structs.h
--- squid-3.0.PRE4-20060727~/src/structs.h  2006-07-02 18:53:47.0 
+0200
+++ squid-3.0.PRE4-20060727/src/structs.h   2006-07-28 15:57:02.309577000 
+0200
@@ -559,6 +559,7 @@ struct _SquidConfig
 int emailErrData;
 int httpd_suppress_version_string;
 int global_internal_static;
+int tproxy;
 }
 
 onoff;
#<>

Jan Engelhardt
--

Re: [squid-users] proxy auto configuration

2006-01-03 Thread Jan Engelhardt 
>Hi again,
>
>Few things I don't fully understand. When you a web server called
>wpad.domain.local, do you mean that that hostname has to resolve to an
>IP on my network? And also just out of interest, does anybody know if
>it's possible for squid to act as a transparent proxy?
>
How transparent do you want it to be? Transparent to the client and/or
transparent to the webserver.


Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/
| jengelh's site, http://jengelh.hopto.org/

Re: [squid-users] Only permitting SSL traffic on CONNECT?

2005-05-30 Thread Jan Engelhardt 
>> yes. However, you would need filter that would detect the used protocol.
>> I'm afraid it's currently impossible to push such filter to squid w/o
>> patching and recompiling it.
>> 
>> Also, I'm not 100% sure that it's easy to detect ssl negotiation and
>> refuse
>> connection if it's not used (note that TLS negotiation is in some cases
>> requested after initisl handshake)
>> 
>> Last, when SSL is used, you even can't tell what protocol is inside of it.
>
> thanks, then I will look to lock at least some dynamic IP addresses in order 
> to
> prevent abuse by my users. ;-)

Check out http://l7-filter.sf.net/ , it's got a "anything with SSL" regexp.



Jan Engelhardt
--

[squid-users] True transparent proxying

2005-05-27 Thread Jan Engelhardt 
Hi list,


so, I managed to get transparent proxying ("transparent" or "vhost") working, 
but the parent squid logs the IP of the intermediate proxy, not the client.

Can Squid3 "spoof" the IP when it connects to the parent cache? This would 
work in practice, because the network is laid out for such, that all packets 
have to pass the intermediate squid.



Jan Engelhardt
--

[squid-users] Transparent/Accelerator

2005-05-26 Thread Jan Engelhardt 
Hello list,


can anyone shortly describe the difference between the "transparent" and 
"accel" flags for the "http_port" option? (For Squid 3 (20050524))


For another thing, let's assume this simplified network topology:

bignode 10.0.0.1
  |
  +-- subgw 10.17.0.1
  |  |
  |  +-- client1 10.17.0.91
  |  +-- client2 10.17.0.92
  |
  +-- client3 10.19.0.22

All clients have bignode:3128 set as proxy, but subgw shall intercept all 
requests from its subnet 10.17.x.x and block certain URLs.

The interesting thing now is that subgw _does_ have all the important 
information[1] -- and so, does Squid3 handle this scenario?


[1] "These browsers behave differently if they are aware of a proxy..."
http://www.linuxdevcenter.com/pub/a/linux/2001/10/25/transparent_proxy.html


Regards,
Jan Engelhardt
--

[squid-users] domain searches from /etc/resolv.conf

2004-02-29 Thread Jan Engelhardt 
Hello,


according to the FAQ 11.40, the only way to specify a suffix is to use
append_domain, and then, one can only specify one.

According to
 3. Enhance src/dns_internal.c to understand the search and domain lines from /
etc/resolv.conf.
, has anyone written such a patch already?



Jan Engelhardt
--