[squid-users] (possibly dynamic?) multiple port forwarding in the same internal Network ...

Antony Stone Antony.Stone at squid.open.source.it
Tue May 25 12:56:02 UTC 2021 

On Tuesday 25 May 2021 at 14:36:09, Albretch Mueller wrote:

> On 5/25/21, Antony Stone <Antony.Stone at squid.open.source.it> wrote:
> > On Tuesday 25 May 2021 at 07:51:21, Albretch Mueller wrote:
> >>  As part of a teaching and learning (TaL)/school software, I need squid:
> >>  
> >>  a) to detect one of the connected computers in an internal network
> >> comprising wirelessly connected and wired computers as the "master"
> >> (operated by the teacher);
> > 
> > What information is available to Squid in order to "detect" that this is
> > the "master" machine?
> 
> I think a combination of cookies,

What system generates / checks the cookies?

What URL are the cookies associated with in the browser?

> its mac address and, when both fail, authentication.

Ah, some form of authentication, where the master user has to log in to 
something, would certainly be effective.  It was just the way you used the word 
"detect" that made me think this should be some action on the part of Squid 
independently of what the master machine user was doing.

> Wouldn't that be enough?, perhaps with an extra proxy server?

Perhaps with an extra *web* server (for authentication), yes, but where would 
an extra proxy server point to?

> My main problem is that I don't want for students boxes to be prompted for
> or trying to initiate an authentication and I don't know of a fool proof way
> of achieving that.

How about the teacher accesses a URL that the students don't know, or at least 
are not supposed to access, and it is that URL which prompts the teacher to 
authenticate?

If the students go to that URL then they will also be prompted to 
authenticate, but in general they will not.

> If possible, all students' business should let go through with squid serving
> as transparent proxy.

That's just down to your networking configuration.

> Probably squid could cache that request as local files to the extent
> that it can and just redirect the requests of students' clients as
> references to that file using an ICAP server somehow?

So, the student asks for the Wikipedia article on Amethyst and finds that their 
browser shows them the web page the teacher is looking at instead?

I think there's no way you're going to achieve this sort of thing with the 
current popularity of SSL/TLS.

> >>  b) when that master reach out to an outside URL, the response should
> >> be replicated in that master's and all other internal computers; but
> > 
> > What do you mean by "the response should be replicated in ... all other
> > internal computers"?
> 
>  that the initial request by the teacher should be received as
> response by all students

Response to what?

> > Are you assuming that these computers are already running a browser,
> 
> Well, technically, I think we could assume that, why would that be
> problematic? How bad would if be if they are not running a browser,
> you could interrupt an initiated request, you could even shot down
> your computer in the middle of a download or transaction without a
> problem. Why would that be that difficult? or, was is it exactly I am
> not getting right?

I'm asking "what application is going to receive this "response" sent by 
Squid, and be expecting it so that it can process it and display it to the 
user?"

You can't just send a chunk of HTML to a computer over the network and expect 
a browser window to suddenly appear and display it.

Aside from anything else, you have to get a TCP session going in the first 
place.

> > that they should suddenly get some (apparently) web server response via
> > Squid and display it, even though they did not make any request?
> > 
> > If so, I would say this is impossible - you can't get a computer to show
> > a response to a request it did not make.
> 
> Yes, this is what I meant, why is that so hard?

a) the client (user's computer) did not open a TCP session to anything (either 
Squid, or a web server), so it's not going to accept TCP "replies"

b) the client did not send an HTTP request to anything, so it's not going to 
accept some HTML which simply turns up on its network port

> Again, my forte is not networking, but I could see how the requested file
> could be cached and forwarded to all student boxes. Perhaps using an ICAP
> server.

You can modify a request sent from the client, or you can modify a response 
sent back from a sever, but you cannot simply send a response to a machine 
which did not make a request.

> >>  c) responses to requests originating in the non master ("slave"?)
> >> ends, return to their corresponding ends;
> > 
> > So, any computer other than the "master" simply makes requests and gets
> > standard responses as usual.  Fine.
> 
> Yes, once you know the request originated in the non master machine,
> it would go back to the initiating client. Again, why would that be
> that problematic?

That is not problematic - it's fine.

> >>  d) at times the master should be able to switch off that replicating
> >> feature;
> > 
> > What times?
> 
> Teacher may decide to "privately" check out some information by
> herself without it being displayed on all students' ends or even
> concurrently open another "private" browser window.

So, the Squid proxy needs somehow to be able to identify which session or 
window the teacher is using, and react differently.  I suspect this is probably 
doable, but far from simple.

> > How?
> 
> This is what I don't know but I think (probably somewhat naively) it
> shouldn't be that hard. Again, session tracking via cookies or URL
> rewriting, maybe?

I think you are completely overlooking modern security practices here.

a) many websites use SSL/TLS - you can't just intercept the requests or 
responses and replace them with whatever you want

b) most browsers and related applications will either not support, or 
definitely warn about, cross-site scripting and foreign cookies

> > I really think you need to explain this "replicating feature" in more
> > detail (and preferably in network terms, from the point of view of the
> > software running on the master, and the software running on a non-master.
> 
> I am not a networking guy but probably you could point out to me some
> related documents explaining specifically the kinds of problematics
> around these kinds of issues.

Just look up "TCP 3-way handshake" and read any basic introduction to "client-
server connectivity" for an understanding of how an HTTP request gets made and 
the response received.

Without a request, the response will be ignored.

> > I think this request is (a) a *lot* more complicated than this, and
> > probably a lot more complicated than you think it is, and (b) in parts,
> > impossible.
> 
> I am squarely OK with "lots of complication" and as I said, you might
> not be able to completely and directly implement all aspects using
> squid, but what aspects of that integrated whole do you think are
> impossible?

Basic networking protocols, from what I understand of how you expect this to 
work.


Antony.

-- 
Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

                                                   Please reply to the list;
                                                         please *don't* CC me.

More information about the squid-users mailing list