Transparent Proxy using CONNECT method

Up ../

Transparent Proxy using CONNECT method

Many tablets and phones do not seem to understand web proxies. So not wanting to setup a full squid transparent proxy I had a look at transproxy.

While not fully understanding the code it appeared that transproxy did a fair bit of parsing the http request. All I was looking for was something that would pick up the intercepted connection and pump it through the proxy using the CONNECT method.

I disected transproxy-1.6 to get a daemon that does this which amounted to a near complete rewrite.

tproxy [ -d ] -t chroot_jail -u runas-uid -b bind-address -s bind-port
       -a access-ip-address/mask -x proxy:port [ -p pidfile ]

	-d         Do not background the daemon
	-b ip      Listen on interface/address
	-s port    and use this port
	-a ip/msk  when connecting to the proxy use local addresses 
	           from this range.

Routing rules for linux

# Deliver proxy requiring traffic to the transparent proxy listening
# on $localaddr:$port
nat/PREROUTING
	-p tcp -s $inside -d $outside --dport 80 -j DNAT --to $localaddr:$port 
or	-p tcp -s $inside -d $outside --dport 80 -j REDIRECT --to-port $port

# Block direct access to transparent proxy
mangle/PREROUTING
	-p tcp -s $inside -d $localaddr --dport $port -j DROP

Basically the client connect(2)s to site.com:80, the linux router's netfilter rules redirects the packet to the port the proxy listens on. The proxy using the linux specific socket call

	getsockopt (client_fd, SOL_IP, SO_ORIGINAL_DST, (char *)&dest_ip, &dlen)

to retrieve the original destination (site.com) then uses the CONNECT method on the remote web proxy to connect to site.com:80. And then relay packets between the two connections.

Sources in files/

A few quick notes on using non local binds nonlocal_bind.txt to preserve the source addresses on outgoing packets.

LICENSE
Creative Commons CC0 http://creativecommons.org/publicdomain/zero/1.0/legalcode

AUTHOR
James Sainsbury