|LogJam and Proxy
||[Feb. 7th, 2006|05:52 pm]
I am using LogJam on Gentoo. So basically it is configured with this option:
./configure --prefix=/usr --host=i686-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --with-gtk --without-gtkhtml --with-gtkspell --without-librsvg --with-sqlite3 --without-xmms --build=i686-pc-linux-gnu
When I start LogJam it gives me a windows in which I can give my login and password but there is no place to specify the proxy. I am using a transparent proxy which requires no authentication. These are my environment variables:
$ env | grep http
2006-02-09 03:53 pm (UTC)
By definition, if it's a transparent proxy, you don't need to provide its address/port info.
Correct. To make it a transparent proxy, use iptables to redirect your own traffic bound for ports 80 (HTTP) and 443 (HTTPS) to your local port 3128.
Assuming your proxy software runs as a different uid than you, set a rule like so:
iptables -t nat -A OUTPUT -m owner ! --uid-owner 99 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
Replace "99" with the uid the proxy runs as. Be careful with this - if you don't include the "-m owner ! --uid-owner 99", you will create a loop in iptables for all port-80-bound traffic. This -m owner rule excludes the proxy's traffic but catches everyone else's.
Create a second rule for --dport 443 to catch HTTPS.
Finally, you will need to put these in an /etc/init.d/ script or something that runs as root at boot time, or the changes will be lost on restart.
If you totally bork routing or your firewall, here is your "help, save me!" command:
I do use iptables. I used this tutorial to set it up:http://www.tldp.org/HOWTO/TransparentProxy.html
But when I do netstat | grep 3128 I see my original proxy as well as localhost. Until now I have been able to use my local proxy only for those applications that use http_proxy variable.
2006-02-09 04:35 pm (UTC)
Hm, should probably use those env vars where appropriate...
2006-02-09 10:36 pm (UTC)
I think one of our networking backends already does.
2006-02-09 11:47 pm (UTC)
Feh on multiple networking backends! I should remove 'em all! ;)
It would be so much nicer to just require GNOME sometimes...