Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#71 Blank pages with ident/transparent proxy w/o proxy set

v2.9
closed
nobody
None
5
2012-09-14
2010-11-14
Jeff D. Hanson
No

Ubuntu 10.04 (Lucid Lynx) i386
DansGuardian 2.10.1.1-1 (also 2.9.9.7 from Ubuntu 9.04 and 2.10.1.1-2 from Ubuntu 10.10)
Squid 2.7 STABLE
Ident2 1.07

When the ident authplugin is enabled only blank http pages are returned to the browser if it isn't set to use the proxy and this iptables rule is active:
iptables -t nat -A OUTPUT -p tcp ! --out-interface lo -m owner ! --uid-owner
proxy -m owner ! --uid-owner root --dport 80 -j REDIRECT --to-port 8080

If the rule is changed to redirect to squid directly the browsers work normally.
Only log entry is "Auth plugin returned error code: -3" whenever the browser is used.

Mailing list thread:
http://tech.groups.yahoo.com/group/dansguardian/message/24514

Truth table of my tests:
Browser Browser=manual proxy authplugin=ident iptables redirect Result with xxx or porn search
Firefox N N N unfiltered
Chrome N N N unfiltered
Firefox N N Y banned user: -
Chrome N N Y banned user: -
Firefox N Y N unfiltered
Chrome N Y N unfiltered
Firefox N Y Y blank page
Chrome N Y Y blank page
Firefox Y N N banned user: -
Chrome Y N N banned user: -
Firefox Y N Y banned user: -
Chrome Y N Y banned user: -
Firefox Y Y N access denied: WPLE
Chrome Y Y N access denied: WPLE
Firefox Y Y Y access denied: WPLE
Chrome Y Y Y access denied: WPLE

Discussion

  • Philip Allison
    Philip Allison
    2010-11-15

    Ident "authentication" doesn't work with a transparent proxy. The protocol works by asking the ident daemon on the client machine for the name of the user who made a particular connection. The trouble is that, with transparent proxying, the client machine hasn't made a connection to the proxy server (as far as it's concerned): it made a connection directly to a webserver, which was intercepted without its knowledge. So when the proxy server asks it "who made this connection to me?", the ident daemon has no knowledge of the connection in question.

    There is nothing that can be done to fix this. The solution, as you have already discovered, is not to use a transparent proxy. This is just one of many caveats of transparent proxies.