Eventmachine talk - Jan 2008 - Transparent proxy

Hi All,

I''m looking at implementing a transparent proxy using EventMachine and
wondered if anyone else was doing any work in this area.

Thanks!

Chuck

On Jan 29, 2008 12:08 AM, Charles McKnight <cmcknight at pheonic.com>
wrote:
> Hi All,
>
> I''m looking at implementing a transparent proxy using EventMachine
and
> wondered if anyone else was doing any work in this area.
>

Yes. Do you have a particular protocol in mind?

Proxies aren''t as easy as they look. But the typical approach is to
open a
connection to proxy target whenever you receive a connection from the
client, and associate the two data objects until one of the two connections
ends.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/eventmachine-talk/attachments/20080129/610db6ae/attachment.html

On Jan 29, 2008 12:08 AM, Charles McKnight <cmcknight at pheonic.com
<http://rubyforge.org/mailman/listinfo/eventmachine-talk>> wrote:
>>/ Hi All,
/>>/
/>>/ I''m looking at implementing a transparent proxy using
EventMachine and
/>>/ wondered if anyone else was doing any work in this area.
/>>/
/
>Yes. Do you have a particular protocol in mind?
>Proxies aren''t as easy as they look. But the typical approach is to
open a
>connection to proxy target whenever you receive a connection from the
>client, and associate the two data objects until one of the two connections
>ends.

Right now I''m looking at HTTP with the idea of being able to
insert/manipulate
information in the headers and body of the request and response. Sort of an
experiment a la GreaseMonkey or mouseHole to see what is/isn''t
feasible.

BTW, I saw my post on the mailing list, but I didn''t receive yours. Am
I
subscribed to the right mailing list?

Thanks!

Chuck

On Jan 28, 2008 9:08 PM, Charles McKnight <cmcknight at pheonic.com>
wrote:
> I''m looking at implementing a transparent proxy using EventMachine
and
> wondered if anyone else was doing any work in this area.
I think that true transparency (down to the IP level) will be
difficult until EM has cttproxy support (even then, it will only work
on Linux).

--Michael

On Jan 28, 2008 10:08 PM, Charles McKnight <cmcknight at pheonic.com>
wrote:
> I''m looking at implementing a transparent proxy using EventMachine
and
> wondered if anyone else was doing any work in this area.
Sure.  Swiftiply is an HTTP proxy.  http://swiftiply.swiftcore.org

It works a bit differently than you would want, but the fundamentals
are the same.


Kirk Haines

On Jan 29, 2008 9:26 AM, Michael S. Fischer <michael at dynamine.net>
wrote:
> On Jan 28, 2008 9:08 PM, Charles McKnight <cmcknight at pheonic.com>
wrote:
>
> > I''m looking at implementing a transparent proxy using
EventMachine and
> > wondered if anyone else was doing any work in this area.
>
> I think that true transparency (down to the IP level) will be
> difficult until EM has cttproxy support (even then, it will only work
> on Linux).
He can be fairly transparent, but if he''s dealing with http, the
standard is to set an X-Forwarded-For header anyway, so full
transparency isn''t necessary.


Kirk Haines

On Jan 29, 2008 8:36 AM, Kirk Haines <wyhaines at gmail.com>
wrote:
> On Jan 29, 2008 9:26 AM, Michael S. Fischer <michael at dynamine.net>
wrote:
> > I think that true transparency (down to the IP level) will be
> > difficult until EM has cttproxy support (even then, it will only work
> > on Linux).
>
> He can be fairly transparent, but if he''s dealing with http, the
> standard is to set an X-Forwarded-For header anyway, so full
> transparency isn''t necessary.
The XFF header is nice but:

(1) Untrustworthy (upstream proxies can insert bogus data into the header)
(2) Not used by origin servers to determine the remote IP address
(which can then be used for analysis and ACL evaluation)

True transparency is preferable, IMHO.

Best regards,

--Michael

On Jan 29, 2008 11:11 AM, Michael S. Fischer <michael at dynamine.net>
wrote:
.
>
> The XFF header is nice but:
>
> (1) Untrustworthy (upstream proxies can insert bogus data into the header)
> (2) Not used by origin servers to determine the remote IP address
> (which can then be used for analysis and ACL evaluation)
>
> True transparency is preferable, IMHO.
>
> Best regards,
Sure.  As you yourself point out, though, true transparency is

1) Not currently possible.
2) When possible, not portable.

So one is left with not-quite-transparent HTTP proxies with XFF.


Kirk Haines

For what it''s worth, the transparent proxy would only be used on Linux
/
OS X / *BSD / Solaris.

I agree that true transparency would be ideal, I''m just not sure how to
get there yet.  :-)

Kirk Haines wrote:
> On Jan 29, 2008 11:11 AM, Michael S. Fischer <michael at
dynamine.net> wrote:
> .
>
>> The XFF header is nice but:
>>
>> (1) Untrustworthy (upstream proxies can insert bogus data into the
header)
>> (2) Not used by origin servers to determine the remote IP address
>> (which can then be used for analysis and ACL evaluation)
>>
>> True transparency is preferable, IMHO.
>>
>> Best regards,
>>
>
> Sure.  As you yourself point out, though, true transparency is
>
> 1) Not currently possible.
> 2) When possible, not portable.
>
> So one is left with not-quite-transparent HTTP proxies with XFF.
>
>
> Kirk Haines
> _______________________________________________
> Eventmachine-talk mailing list
> Eventmachine-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/eventmachine-talk
>

On Jan 29, 2008 2:50 PM, Charles McKnight <cmcknight at pheonic.com>
wrote:
> For what it''s worth, the transparent proxy would only be used on
Linux /
> OS X / *BSD / Solaris.
>
> I agree that true transparency would be ideal, I''m just not sure
how to
> get there yet.  :-)
>
>

Forward proxy or reverse proxy? Are you using some kind of transparent
bridge that can do the IP-address spoofing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/eventmachine-talk/attachments/20080129/bb8af861/attachment.html

Hi Francis,

I am looking at a forward proxy. I am not planning on any additional
systems doing IP spoofing (at least not at this point).

Thanks,

Chuck

Sent from my iPhone

On Jan 29, 2008, at 8:32 PM, "Francis Cianfrocca" <garbagecat10 at
gmail.com
 > wrote:
> On Jan 29, 2008 2:50 PM, Charles McKnight <cmcknight at pheonic.com>
> wrote:
> For what it''s worth, the transparent proxy would only be used on
> Linux /
> OS X / *BSD / Solaris.
>
> I agree that true transparency would be ideal, I''m just not sure
how
> to
> get there yet.  :-)
>
>
>
> Forward proxy or reverse proxy? Are you using some kind of
> transparent bridge that can do the IP-address spoofing?
> _______________________________________________
> Eventmachine-talk mailing list
> Eventmachine-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/eventmachine-talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/eventmachine-talk/attachments/20080130/bb98ab36/attachment.html