Discussion:
[OpenWrt-Users] Using external Proxy with Iptables
Jakob
2013-05-18 09:49:47 UTC
Permalink
Hey Folks,

I would like to use an external proxy (not in the local network) for
HTTP(S)-traffic, but the example doesn't work.

http://wiki.openwrt.org/doc/uci/firewall#transparent.proxy.rule.external

Entering http://www.heise.de/netze/tools/meine-ip-adresse/ , squid/3.1.6
replyed

ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the
URL: /netze/tools/meine-ip-adresse/
Invalid URL
Some aspect of the requested URL is incorrect.
Some possible problems are:
Missing or incorrect access protocol (should be http:// or similar)
Missing hostname
Illegal double-escape in the URL-Path
Illegal character in hostname; underscores are not allowed.

Where is the system loosing the destination hostname, and why?

If the example would work, it would be impossible to access the router
via webinterface. I know, that there must be another rule, but I'm at
the very beginning with iptables.

The router is a Linksys wrt54gl with Backfire (10.03.1, r29592)

Regards
Jakob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openwrt.org/pipermail/openwrt-users/attachments/20130518/345f6eb3/attachment.html>
Simon Iremonger (wiltslug)
2013-05-18 10:12:10 UTC
Permalink
Post by Jakob
I would like to use an external proxy (not in the local network)
for HTTP(S)-traffic, but the example doesn't work.
http://wiki.openwrt.org/doc/uci/firewall#transparent.proxy.rule.external
ERROR The following error was encountered while trying to retrieve
Post by Jakob
the URL: /netze/tools/meine-ip-adresse/ Invalid URL Where is the
system loosing the destination hostname, and why?
Squid isn't expecting to get only the path part of the URL,
it is expecting a full URL in the request. It is not
configured for "accepting" transparent-proxy-requests.
You need to change your squid3.conf....


It needs "http_port 3128" or similar changed to
"http_port 3128 transparent"

So that squid3 knows to expect transparent-proxy-requests ...


--Simon
Jakob
2013-05-18 10:21:48 UTC
Permalink
Hi Simon,

thanks a lot.

I've to drop this project, because I have not any permissions on the
proxy. There is only a proxy.pac by the provider to embed in firefox.

Is there another possibility to use this proxy via openwrt?

Jakob
Post by Simon Iremonger (wiltslug)
Post by Jakob
I would like to use an external proxy (not in the local network)
for HTTP(S)-traffic, but the example doesn't work.
http://wiki.openwrt.org/doc/uci/firewall#transparent.proxy.rule.external
ERROR The following error was encountered while trying to retrieve
Post by Jakob
the URL: /netze/tools/meine-ip-adresse/ Invalid URL Where is the
system loosing the destination hostname, and why?
Squid isn't expecting to get only the path part of the URL,
it is expecting a full URL in the request. It is not
configured for "accepting" transparent-proxy-requests.
You need to change your squid3.conf....
It needs "http_port 3128" or similar changed to
"http_port 3128 transparent"
So that squid3 knows to expect transparent-proxy-requests ...
--Simon
_______________________________________________
openwrt-users mailing list
openwrt-users at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-users
Simon Iremonger (wiltslug)
2013-05-18 10:44:32 UTC
Permalink
Post by Jakob
I've to drop this project, because I have not any permissions on
the proxy. There is only a proxy.pac by the provider to embed in
firefox. Is there another possibility to use this proxy via
openwrt?
Since OpenWRT (10.03.1 and 12.09) has 'squid' package...

IF your router-gadget has enough memory...
You could in theory run a very small squid, configured
with no stores and mimimal memory cache,
configured in such a way so as to send all requests
via a parent cache... If you do this right it doesn't
do any DNS lookups etc. itself.
Iirc its' something along the lines of using
"always_direct" etc etc... having configured
parent via sibling or what-have-you.

That way, your own squid on the router CAN be in
'transparent' mode for 3128-listening but it
then sends requests in proxy-proxy type way
through the upstream proxy =).


--Simon
Jakob
2013-05-19 22:18:05 UTC
Permalink
Hi Simon,

thanks a lot!
Post by Simon Iremonger (wiltslug)
Since OpenWRT (10.03.1 and 12.09) has 'squid' package...
But not for devices with brcm-2.4 and 12.09 this device. I'll try to
compile my own package, but today it won't work.
Post by Simon Iremonger (wiltslug)
IF your router-gadget has enough memory...
You could in theory run a very small squid, configured
with no stores and mimimal memory cache,
configured in such a way so as to send all requests
via a parent cache... If you do this right it doesn't
do any DNS lookups etc. itself.
Iirc its' something along the lines of using
"always_direct" etc etc... having configured
parent via sibling or what-have-you.
That way, your own squid on the router CAN be in
'transparent' mode for 3128-listening but it
then sends requests in proxy-proxy type way
through the upstream proxy =).
Do you think, that other proxys like tinyproxy would work instead?

Best regards
Jakob
Simon Iremonger (wiltslug)
2013-05-20 08:29:57 UTC
Permalink
Post by Jakob
Do you think, that other proxys like tinyproxy would work instead?
Jakob
If tinyproxy can receive 'transparent' proxy connections, and
can be configured to send all requests via an upstream
proxy... Then yes =).

A quick install of tinyproxy 1.8.1 to test shows that:-

$ telnet localhost 8888
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.0
HOST: www.debian.org

WORKS... I.e. it accepts transparent-style-proxy as well.
It clearly has parameters like "upstream" in the tinyproxy.conf
-- i.e to tell tinyproxy "please send via this upstream
proxy". Hopefully, when doing that, it converts the URL
in the request so it actually looks like
GET http://www.debian.org/ HTTP/1.0
[i.e. {browser/proxy}-proxy style].


It looks like Openwrt has a copy of tinyproxy package built
for you so you ought to be able to get that to work I would
think... You just setup the DNAT redirect to redirect to
the lan-side-IP of the router, probably. Maybe you can
tell it to DNAT to 127.0.0.1, I'm not sure if that works.

Let us know what you work out, I'd be interested to know.
Write me off-list with clear copy of notes/logs if you
want more detailed discussion of proxy config/debugging.


--Simon
Jakob
2013-05-25 07:12:20 UTC
Permalink
Hey folks,

the problem is solved:

/etc/config/tinyproxy

config upstream
option type proxy
option via www-proxy1.[...].de:3128

/etc/config/firewall

config redirect
option src lan
option proto tcp
option src_dport 81 //to access the router via
browser
option dest_port 80
option dest_ip 192.168.1.1

config redirect
option src lan
option proto tcp
option src_dport 80
option dest_port 8888
option dest_ip 192.168.1.1

I have to thank Simon for his help.

Kind regards
Jakob

Continue reading on narkive:
Loading...