Transparent proxy - Rewrite rules can someone please explain?!

Network_geeking · July 11, 2010, 3:43pm

Hello All,

I have one question related to apache2 rewrite rule.

In my network setup, I have one firewall and behind this firewall I have my private network (192.168.x.x network). I have one proxy server connected to my firewall. I redirected all http traffic from my private network to the proxy server on the firewall (in order to avoid the proxy configuration on each client (transparent proxying)). The proxy server then establishes a connection with the desired webserver and transfers the contents of the website to the client.

When I enable the proxy on the clients individually and start wireshark to capture the traffic,

I could see in wireshark under URI
(With the proxy enabled)
Request URI: http://www.mydomainexample.com/

and it works out (for the testing purpose, I have one webserver which simulates the domain name above in my virtual public network)

But when I disable the proxy on the clients and see what happens in wireshark
I could see
(without the proxy enabled)
Request URI: /

and it says on my client’s browser, no / folder was found at apache2 … etc…

Can please somebody explain why it does not work without proxy configuration on the client explicitly? I know that / is not known resource on the proxy server and therefore the proxy server itself says to the client that it does not have / folder. But can somebody please explain in a more detailed way what exactly happens?
I really appreciate the help.

And by having searched in google, I found the following script

(…)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteLog /var/log/apache2/rewrite.log
RewriteLogLevel 9

 # if a REQUEST_URI starts with a / then do the rewrite
 RewriteCond %{REQUEST_URI} ^/
 
 # alter the GET /... to GET http://host/... so it is treated as
 # a proxy request, and then forward it to mod_proxy immediately
 RewriteRule (.*) http://%{HTTP_HOST}$1 [P]

</IfModule>
(…)

I used this script. It works now without any proxy configuration on the clients. I know that the proxy server rewrites the URI in some way so that it also proxies the request to the required webserver and transfers the content to the client back.

But why should we need this script? Why is the proxy server still not able to understand the http request from the client and gets the website when the firewall redirects all http traffic to the proxy?

I will appreciate any kind of help.

Thanks a million! rotfl!

ken_yap · July 11, 2010, 4:24pm

When you turn on the proxy setting in the browser, the browser knows to send the full URL instead of the relative URL in the HTTP request.

In a transparent proxy situation, the URL sent is relative since the browser is supposed to be ignorant that there is a proxy. But all is not lost. HTTP/1.1 requires that the browser always send a Host: line. With these two pieces of information, the proxy can contact the right server. However the proxy must be configured to do this, there is a setting in squid to make it a transparent proxy (the technical term is interception proxy) and there probably should be one in the YaST config.

This has nothing to do with rewrite rules in Apache, it’s squid that does the proxying. Apache can also do proxying, but it’s not as good as squid and I know little about Apache as an interception proxy.

Network_geeking · July 11, 2010, 5:15pm

Thanks for the reply. I know that squid does the same thing. But apache can also be used for the same purpose, namely using the mod_proxy module from the apache. I do not understand why the client sends the relative URL in the http request. Is URL(Unified resource locater) directly related to URI (Unified resource identifier)?

ken_yap · July 11, 2010, 6:07pm

All web browsers send the relative portion when not using a proxy.

Don’t get tangled with the URL/URI terminology. The relative portion I mean is the part after the hostname and any optional port. For example, with the URL:

http://www.example.com/index.html

the relative portion is /index.html

Maybe if you explained what you are trying to do, you might get a more useful answer. I suspect you are trying to address a local webserver using the external URL.

DenverD · July 11, 2010, 6:30pm

ken yap wrote:

@ken_yap…i tried to send you a PM but you don’t accept
those…please help the guy at
http://forums.opensuse.org/showthread.php?t=441735
in applications…he didn’t realize it is a networking issue…(which
i can’t answer)

–
Enjoy Packman’s benefits? Show your appreciation by donating at
http://se.unixheads.org/?donate

DenverD
CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]