Many tablets and phones do not seem to understand web proxies. So not wanting to setup a full squid transparent proxy I had a look at transproxy.
While not fully understanding the code it appeared that transproxy did a fair bit of parsing the http request. All I was looking for was something that would pick up the intercepted connection and pump it through the proxy using the CONNECT method.
I disected transproxy-1.6 to get a daemon that does this which amounted to a near complete rewrite.
tproxy [ -d ] -t chroot_jail -u runas-uid -b bind-address -s bind-port -a access-ip-address/mask -x proxy:port [ -p pidfile ] -d Do not background the daemon -b ip Listen on interface/address -s port and use this port -a ip/msk when connecting to the proxy use local addresses from this range.
Routing rules for linux # Deliver proxy requiring traffic to the transparent proxy listening # on $localaddr:$port nat/PREROUTING -p tcp -s $inside -d $outside --dport 80 -j DNAT --to $localaddr:$port or -p tcp -s $inside -d $outside --dport 80 -j REDIRECT --to-port $port # Block direct access to transparent proxy mangle/PREROUTING -p tcp -s $inside -d $localaddr --dport $port -j DROP
Basically the client connect(2)s to site.com:80, the linux router's netfilter rules redirects the packet to the port the proxy listens on. The proxy using the linux specific socket call
getsockopt (client_fd, SOL_IP, SO_ORIGINAL_DST, (char *)&dest_ip, &dlen)
to retrieve the original destination (site.com) then uses the CONNECT method on the remote web proxy to connect to site.com:80. And then relay packets between the two connections.
Sources in files/
A few quick notes on using non local binds nonlocal_bind.txt to preserve the source addresses on outgoing packets.
Creative Commons CC0 http://creativecommons.org/publicdomain/zero/1.0/legalcode