The program is used in conjunction with the FreeBSD (ipfw, ipnat) or Linux transparent proxy feature (ipfwadm, ipchains, iptables), to transparently proxy HTTP requests.
The latest version, along with historical versions, of this package will always be at the follwing URL http://sourceforge.net/projects/transproxy/ with a name like transproxy-x.x.tgz.
Take for example the network configuration of a FreeBSD or Linux box acting as a dialin server (or terminal server), and another FreeBSD or Linux box acting as a Squid (or any other) proxy cache. Normally users would have to configure their browser to access the proxy. This transparent proxy will automatically intercept HTTP accesses and re-direct them to the Squid (or any other) proxy server. The users need not even know that a proxy is being used, it's that transparent.
Just type 'make' no configuration in the source is needed. It's written in ANSI C using the portable Berkeley sockets interface so it should compile on 99.9% of machine without change.
Just type 'make install' to install the binary and man page. Then choose either one of 'Inetd Installation' or 'Standalone Server'.
For a low volume application, using inetd to start the proxy is very simple. The installation places the proxy on port 81, just above the normal HTTP port. Just follow these steps.
tproxy 81/tcp # Transparent Proxy
tproxy stream tcp nowait nobody /usr/sbin/tcpd tproxy <your-proxy-server> 8080This tells inetd to accept requests on port 81, and the transparent proxy server to pass these on to the host 'proxy' at port 8080.
For high volume applications it's best to install the server as a standalone server. This prevents inetd having to start a new process for ever new request. Just follow these steps.
tproxy -s 81 -r nobody <your-proxy-server> 8080This tells the transparent proxy server to accept requests on port 81 and to pass these on to the host 'proxy' at port 8080.
You need FreeBSD 3.0 or higher, a 2.2.x doesn't have the required features.
I suggest you use ipfw as ipnat imposes a much higher overhead.
Add 2 filter entries like below:
# ipfw add 1000 allow tcp from <this-host> to any 80 # ipfw add 1010 fwd <your-proxy-server>,81 tcp from any to any 80
To make HTTP requests get proxied transparently, ipfwadm, ipchains, or iptables filter rules must be put in place to pass HTTP requests to the proxy that would normally pass through to the outside world. Also the Linux kernel must be compiled with the TRANSPARENT_PROXY feature enabled. You only get asked about this feature if you have requested to be prompted about EXPERIMENTAL things.
If the dialin server (terminal server) host is not running a httpd on port 80, then the ipfwadm, ipchains, or iptables rules are different to when it is.
Example when a httpd is running on port 80.
# ipfwadm -I -a accept -P tcp -D localhost 80 # ipfwadm -I -a accept -P tcp -D <ip of local network>/<bits-in-net> 80 # ipfwadm -I -a accept -P tcp -D 0.0.0.0/0 80 -r 81 or # ipchains -A input -p tcp -d localhost 80 -j ACCEPT # ipchains -A input -p tcp -d <ip of local network>/<bits-in-net> 80 -j ACCEPT # ipchains -A input -p tcp -d 0.0.0.0/0 80 -j REDIRECT 81 or # iptables -t nat -A PREROUTING -p tcp -d localhost --dport 80 -j ACCEPT # iptables -t nat -A PREROUTING -p tcp -d/ --dport 80 -j ACCEPT # iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 81
If no httpd is running on the local network you may want to reject connections quickly instead of accepting them.
# ipfwadm -I -a reject -P tcp -D localhost 80 # ipfwadm -I -a reject -P tcp -D <ip of local network>/<bits-in-net> 80 # ipfwadm -I -a accept -P tcp -D 0.0.0.0/0 80 -r 81 or # ipchains -A input -p tcp -d localhost 80 -j REJECT # ipchains -A input -p tcp -d <ip of local network>/lt;bits-in-net> 80 -j REJECT # ipchains -A input -p tcp -d 0.0.0.0/0 80 -j REDIRECT 81 or # iptables -t nat -A PREROUTING -p tcp -d localhost --dport 80 -j REJECT # iptables -t nat -A PREROUTING -p tcp -d/ --dport 80 -j ACCEPT # iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 81
These rules allow port 80 requests direct at the local network to pass (or get rejected). Then any requests to the outside world get redirected to port 81 and hence get handled by the transparent proxy.
My name is John Saunders <john@saunders.id.au.nospam>.