[squid-users] Client IP spoofing via squid proxy

Amos Jeffries squid3 at treenet.co.nz
Mon May 11 13:06:26 UTC 2015 

On 11/05/2015 11:27 p.m., Ambadas Hibare wrote:
> Hi,
> 
> The problem is many clients are already preconfigured with proxy ip/port settings due to previous setup.
> 

huh? your "problem" is that clients are setup correctly?

TPROXY and NAT interception (aka. hjacking attack on users) are the
*hacked workaround* way to do proxying when one has no better choices
due to broken UA implementation or configuration.

It also has nothing to do with the Squid->server connections.

So I ask again, why do you say you are required to perform IP spoofing
(aka. forgery of users identification details) on outbound server
connections?

I think that you or someone setting the requirements is mistaken about
what is needed. Possibly even mistaken about what some problem is.

...

Clients which *are* configured to use a proxy explicitly, can continue
to use Squid as that proxy. If the proxy receiving IP or domain has
changed the traffic can be NAT'ed to the new proxy with no need to
change anything - not even configure Squid with "intercept" flags.


Clients which are *not* configured to use the proxy, but needing to be
gatewayed through it need to be TPROXY or NAT intercepted. But only as
per common "normal" client connection interception.

In both cases the server connections will "just work" when proxied
without TPROXY spoofing. If TPROXY spoofing is performed the routing
needs special configuration we have been over already.


> If you don’t mind, may I know like its squid's feature, or the Linux OS feature, which doesn’t do transparency only towards web server?
> 

Both. The OS restrictions more than Squid. And legal restrictions in
many places.

Consider that your workplace might need a guard to see your passport or
similar form of private ID to purchase some service for you. Is it legal
(and right) for that guard to photocopy it, then use it as their own
name/ID to do some things of their choosing?

Compare that to a Guard who does the same copying, but uses it saying to
the service provider "I come representing the person identified by this
token".

Amos

More information about the squid-users mailing list