Reputation: 4505
intercepting http proxy - disadvantages compared to a normal proxy
I would like to know how "realistic" is to consider implementing an intercepting proxy(with cache support) for the purpose of web filtering. I would like to support also IPv6, authentication of clients and caching.
Reading to the list of disadvantages from squid wiki http://wiki.squid-cache.org/SquidFaq/InterceptionProxy that implements an intercepting proxy, it mentions some things to consider as disadvantages when using it(that I want to clarify):
- Requires IPv4 with NAT - proxy intercepting does not support IPv6, why ?
- it causes path-MTU (PMTUD) to possibly fail - why ?
- Proxy authentication does not work - client thinks it's talking directly to the originating server, in there a way to do authentication in this case ?
- Interception Caching only supports the HTTP protocol, not gopher, SSL, or FTP. You cannot setup a redirection-rule to the proxy server for other protocols other than HTTP since it will not know how to deal with it - This seems quite plausible as the way redirecting of traffic to proxy is done in this case is by a firewall changing the destination address of a packet from the originating server to the proxy's own address(Destination NAT). How would in this case, if i want to intercept other protocols besides http know where the connection was intended to go so I can relay it to that destination ?
Upvotes: 1
Views: 1278
Answers (1)
Reputation: 1573
Traffic may be intercepted in many ways. It does not necessarily need to use NAT (which is not supported in IPv6). A transparent interception will surely not use NAT for example (transparent in the sense that the Proxy will not generate requests with his own address but with the client address, spoofing the IP address).
PMTUD is used to detect the largest MTU size available in the path between the client and server and vise versa, it is useful for avoiding fragmentation of Ip packets on the path between the client and server. When you use a Proxy in the middle, even if the MTU is detected, it not necessarily the same as the one from the client to the proxy and from the proxy to the server. But this is not always relevant, it depends on what traffic is being served and how the proxy is behaving.
If the proxy is authenticating in the client behalf, it needs to be aware of the authentication method, and it will probably need some cookies that exist in the client. Think of it this way... If a proxy can authenticate an access to a restricted resource on your behalf, it means anyone can do it on your behalf, and the purpose of a good authentication is to protect you from such possibilities.
I guess this was a very old post from the Squid guys, but the technology exists to redirect anything you want to a specific server. One simple way to do it is by placing your server as a Default Gateway for the network, then all packets pass through it and you could redirect the packets you like to your application (or another server). And you are not limited to HTTP, BUT you are limited to the way the application protocol works.
Upvotes: 1
Related Questions
- How to intercept HTTP requests and responses of a client machine (like fiddler does)
- When should one use CONNECT and GET HTTP methods at HTTP Proxy Server?
- How http proxy clients work
- how does http proxy work?
- When to use HTTP Proxy
- Java HTTP and Proxies
- HTTP tunnel vs HTTP proxy
- Which changes do a browser make when using an HTTP Proxy?
- When writing a HTTP proxy, what security problems do I need to think about?
- What is the difference when connecting through a proxy?