[sllug-members]: Transparent Proxy Log Files

Knight Walker kwalker at kobran.org
Mon Nov 13 20:32:03 MST 2006 

On Mon, 2006-11-13 at 09:22 -0700, Mike Potter wrote:
> I have a OpenWRT router with IPTables set up to route all http traffic though 
> another box running tinyproxy and dansguardian using the transparent proxy setup 
> found on http://tldp.org/HOWTO/TransparentProxy-6.html.  It works... 
> sometimes... but seems to be buggy. I also hate the fact that all my logs now 
> show the IP Address of the router instead of the actual client.

Okay, are you using the first or second method on that page?

> 1 - Is the transparent proxy the best way to force all traffic through the 
> proxy/filter or are there better ways to accomplish this task?

As outlined, I would have to say yes.  A transparent web proxy means you
don't have to reconfigure everything each time a device moves, it's
always automatically handled for you.  There are a couple of things you
might want to do though.

> 2 - Is there any way with transparent proxy to still show the client IP Address 
> in the log files?

I assume you mean on the server outside the proxy? No.  Side effect of
using a proxy (Even a transparent one) is that all the far server sees
is the IP address of the proxy, as it is standing-in for all the
clients.  It still passes all headers, including user agent (unless you
told it otherwise), so you can kind of figure out which is which
OS-wise, and some proxies will pass along a "proxying for" address.

There is one way to get the client's IP address to show up on the
server, but that requires configuring the router to NOT redirect the we
request to the proxy and instead pass it along to the selected far
server.  Defeats the purpose of having a proxy though.

> 3 - I tried setting up an automatic proxy settings file, and it works... 
> sometimes...

I don't bother with these since they're not as reliable as forcing all
traffic on port 80 to go through the proxy (With some exceptions).

> 4 - Without debating if access in my home should be filtered, are there better 
> ways to filter access for a family than dansguardian with multiple computers, 
> and OS's? (Currently I have windoze, OS X, and Linux)

The way I've done it is with IPTables and SQUID following Method 2
pretty strictly and it worked for us until some faulty piece of
corporate software filled up my log files with web requests every five
seconds.  The SQUID proxy was a little 233MHz recycled Gateway 2000 with
64MB RAM, the router was another one, and it handled all the traffic on
a T1 pretty well.

> 5 - Finally, a little off-topic, but I want to keep track (log??) other types 
> off internet usage in my home like chatting or other programs. Do I need another 
> proxy for other internet access that logs and gives me access control lists? 
> What's the best way to go here?

I myself am interested in something that can keep track of IMs, to keep
the teenager honest, but I haven't found anything yet.  I've heard of
something for AIM, but he doesn't use that, so it's no help for me.

-KW

More information about the sllug-members mailing list