Mast Kalandar

bandar's colander of random jamun aur aam

Tue, 19 Aug 2003

< On the importance of Academic Freedom | · | List of projects for O/S course >

Proxying http and ftp

http, lg [link] [comments ()] [raw]

Standard Web connection

There are usually two parties to an http/ftp connection the client and the server. In the case of http the client opens a connection to port 80 on the server and the server responds. In the case of ftp the client opens a connection to port 21 for communicating commands. In addition a port 20 connection is made for data.

Enter squid

Now most http clients can be configured to use a "proxy" for the http/ftp connection. The proxy is usually specified as and the client connects to at port "portnumber" and makes a proxy http request. Proxy requests can be made for any protocol which the proxy server supports (in the case of squid this includes http and ftp). The proxy server then takes care of making an actual connection to the server and transferring the data.

Enter iptables

Quite often we do not want to configure all the clients. So we want a "transparent proxy"; since such a service is not a part of the standard HTTP protocol there are some tricks required to make it work. First of all iptables redirects all connections from clients directed at any host with destination port 80 to the squid program. The squid program has to be configured to expect clients to make regular (non-proxy) requests to it for all kinds of hosts (not itself). From the actual host info sent to it (by the browser and by iptables) squid can usually figure out how to make the http connection correctly (but in fact not always!).

It should by now be obvious that squid cannot make "regular" ftp connections in some sense in either case.

When squid is alone (w/o iptables) it can only serve as a ftp proxy for clients that can speak the http-proxy protocol for an ftp request---in other words most browsers but not most ftp clients.

When squid is with iptables there is no way for it to figure out how to make the "correct" ftp connection even if iptables were to re-direct the ftp connection to it since (and this is important) the client is now not speaking the http protocol at all but is speaking the ftp protocol!

It isn't an optical illusion. It just looks like one.


< August 2003 >
      1 2
3 4 5 6 7 8 9

2016, 2015, 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005, 2004, 2003, 2002, 2001, 2000, 1999, 1997, 1995,