ProxHTTPSProxyMII transparent interception/ set socket option IP_TRANSPARENT

[Strykar]

Does ProxHTTPSProxyMII support transparent proxy interception? If not, could this be added?

I've setup iptables using TPROXY like one would with Squid but ProxHTTPSProxyMII does not see traffic.

iptables-save -c shows that traffic is indeed intercepted and apparently sent to the port ProxHTTPSProxyMII is listening on (8079) but the console does not show it and the browser times out.

[825:80665] -A PREROUTING -p tcp -m socket -j DIVERT
[280:16800] -A PREROUTING -p tcp -m tcp --dport 443 -j TPROXY --on-port 8079 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
[825:80665] -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
[825:80665] -A DIVERT -j ACCEPT

Configuring the browser to talk HTTPS to ProxHTTPSProxyMII directly works as expected with Privoxy in the middle.

From: https://www.kernel.org/doc/Documentation/networking/tproxy.txt

Because of certain restrictions in the IPv4 routing output code you'll have to
modify your application to allow it to send datagrams _from_ non-local IP
addresses. All you have to do is enable the (SOL_IP, IP_TRANSPARENT) socket
option before calling bind:

fd = socket(AF_INET, SOCK_STREAM, 0);
/* - 8< -*/
int value = 1;
setsockopt(fd, SOL_IP, IP_TRANSPARENT, &value, sizeof(value));
/* - 8< -*/
name.sin_family = AF_INET;
name.sin_port = htons(0xCAFE);
name.sin_addr.s_addr = htonl(0xDEADBEEF);
bind(fd, &name, sizeof(name));

A trivial patch for netcat is available here:
http://people.netfilter.org/hidden/tproxy/netcat-ip_transparent-support.patch

Please see http://wiki.squid-cache.org/Features/Tproxy4 Here's a discussion about achieving it with Python via UDP tho - http://www.unknownerror.org/opensource/suin/iptables/q/stackoverflow/10038727/python-iptables-capturing-all-udp-packets-and-their-original-destination Another example - https://github.com/micolous/tollgate/blob/master/tollgate/captive_landing/tproxy.py

[wheever]

ProxHTTPSProxyMII doesn't support transparent proxy interception, and I'm afraid I won't have time to maintain the code for a long time.

I'm not familiar with Squid but could you set Squid as the transparent proxy then set ProxHTTPSProxyMII as Squid's parent proxy?

[wmyrda]

I'm not familiar with Squid but could you set Squid as the transparent proxy then set ProxHTTPSProxyMII as Squid's parent proxy?

This is exactly what I have tried to achieve and failed to do so far https://www.prxbx.com/forums/showthread.php?tid=2172&pid=19261#pid19261 JJoe proposed to start the chain with ProxHTTPSProxyMII which is fine if one setups all devices to point to this proxy, but transparent way of doing things is much easier approach to maintain. These days just about any household device is networked - PCs, laptops, tablets, phones, dvb tuners, switches, routers, APs, TV, network drives, and alike. Just wait to see refrigerators & microwaves will have it too. Obviously not all of them need advert filtering but Tproxy addition would be quite welcomed for easier maintenance.

[wmyrda]

Following https://www.prxbx.com/forums/showthread.php?tid=2172&pid=19270#pid19270 example I found squid + ProxHTTPSProxyMII to work just right. Reason it did not work for me previously was that I tried to use ssl_bump instead of ssl_peak in squid which meant additional certificate recreation.

[vladns]

These days just about any household device is networked - PCs, laptops, tablets, phones, dvb tuners, switches, routers, APs, TV, network drives, and alike. Just wait to see refrigerators & microwaves will have it too. It still won’t work, because they will not accept a self-signed certificate. If only you use android os with root and implement a self-signed certificate into it. Well, applications in any case can use their certificate, and not from the OS storage.