#1594 transparent proxy + accept-intercept-requests

pending
Fabian Keil
None
5
2014-08-22
2013-09-18
lsoltero
No

accept-intercept-request works fine when the client browser has been manually configured to use the proxy server. However, when in transparent mode (where traffic from port 80 is NATTED to the proxy port) and the browser is unaware that is being proxyed, authentication requests are not done correctly and the browser displays a "this page is not available" mesg.

Not sure what the fix is for this if there is one.

to reproduce the error on any linux distribution...

1. add accept-interface-requests to the proxy config
2. execute the following iptables command as root
iptables -t nat -N natcensor
iptables -t nat -I prerouting_rule -j natcensor
iptables -t nat -A natcensor -p tcp --dport 80 -j REDIRECT --to-port 3128 (where 3128 is the port the proxy is listening on)
3. confirm that you can browse the internet while confirming that the proxy is being used by checking the logs. The browser should "normal" non-proxy mode.
4. configure an upstream proxy that requires authentication
5. browse to a page that requires the use of the proxy.
at this point you should see the failure.
6. change the configuration of the browser to manually use the proxy.
7. confirm that the authentication request window pops up on the browser when using the upstream proxy.

problem discovered using privoxy 3.0.21 under OpenWRT.

--luis

Discussion

  • Fabian Keil
    Fabian Keil
    2013-09-18

    • assigned_to: nobody --> fabiankeil
    • status: open --> pending
     
  • Fabian Keil
    Fabian Keil
    2013-09-18

    Thanks for the report.

    Please provide a log excerpt as described at:
    http://www.privoxy.org/user-manual/contact.html#SUFFICIENT-INFORMATION

    My suspicion is that this isn't a Privoxy bug, but the result of the browser rejecting the authentication request for security reasons (the authentication request could have been faked by a malicious webserver), but without a logfile it's hard to tell.

    Also note that there a multiple proxy authentication schemes an it's unclear to me which one you are trying to use.

     
  • lsoltero
    lsoltero
    2013-09-19

    tcp dump of port 80

     
    Attachments
  • lsoltero
    lsoltero
    2013-09-19

    i have attached a TCP dump of a transparent HTTP session using privoxy with enable-proxy-authenticaion-forwarding.

    you will note that privoxy correctly passes the 407 Authentication required response back to the browser... however, the browser never responds.

    so it seems that enable-proxy-authenticaion-forwarding only works when the browser is configured to access the proxy. Otherwise it ignores the 407 request since it does not believe its using an upstream proxy.

    not sure there is anything that can be done to privoxy other than have it do the authentication for the user. I submitted a patch that allows this in a previous bug report.

    --luis

     
  • lsoltero
    lsoltero
    2013-09-19

    • status: pending --> open
     
  • lsoltero
    lsoltero
    2013-09-19

    here is a copy of the log...

    note that privoxy seems to be doing everything correctly... so as stated previously I don't think that enable-proxy-authenticaion-forwarding can be made to work in transparent mode.

    it might be useful to add something to the help file.

    also.. please feel free to use and distribute my patch that adds username;password authentication for upstream proxies.

    take care.

    --luis

     
  • Fabian Keil
    Fabian Keil
    2013-09-20

    I agree that Privoxy seems to do everything correctly.

    I haven't tested it, but I think you should be able to use a server-header-filter to convert the Proxy-Authenticate header into a WWW-Authenticate header and a client-header-filter to convert the clients Authorization header into an Proxy-Authorization.

    The proxy authentication patch can't be committed as-is, for details see:
    https://sourceforge.net/tracker/index.php?func=detail&aid=3615021&group_id=11118&atid=311118

     
  • Fabian Keil
    Fabian Keil
    2013-09-20

    • milestone: 6576532 -->
    • labels: 427303 -->
    • status: open --> pending